Cross Domain Referrer Leakage

It is my first writeup so please ignore the mistakes.

I was searching for a program where I can test my skills and finally got it, I can’t disclose the program name so I will call it “target”.

I tried all my skills on finding IDOR, CSRF, XSS etc. but it is secured. Then I go to password reset area, user enumeration & victim flooding is out of scope. Finally I go for Cross Domain referrer Leakage.

What is Cross Domain Referrer Leakage?

I am here to discuss how to reproduce it, not for discussing what this vulnerability is, so for understanding that you can read this:

Steps to Reproduce:

  1. Go to Password Reset area and send forget password link to your email address.
  2. Copy the password reset link and paste in browser to which Burp-suite is configured.
  3. Now turn on the intercept and capture the request.
  4. First check for referrer header, then check for password reset link in that header. If you find link in referrer header then check host.
  5. If there is complete password reset link including token, and host is third party website, it is vulnerability.

I reported this to target website and finally get a reward of 300 USD :)

Thanks :)

I am bug bounty hunter at Hackerone :)