How to Hunt/Exploitation of Host Header Injection

What is Host Header Injection :-



Host Header Injection The HTTP host header is a request header that specifies the domain that a client (browser) wants to access. This header is necessary because it is pretty standard for servers to host websites and applications at the same IP address. However, they don't automatically know where to direct the request.

GET /web-security HTTP/1.1 → 200 ok

Host: admin.com

GET /web-security HTTP/1.1

Host: bing.com → 200 Ok

Let's Started

So, considering our target is xyz.com, first I tried to find some subdomain of xyz.com after getting some sub

domain . I started some bugs like xss ,crlf injection, sql injection, but I didn't find anything. After getting some time, I thought let's hunt for their contact from . First I tried rate limit, but they applied it on their page .

then i tried xss with an add extra header but this also not worked then i think let's remove xss payload from extra header and i send request and what i will redirected on my extra header

x-forwarded-for : bing.com

The impact of Host header injection?

A successful host header injection could result in web cache poisoning, password reset poisoning, access to internal hosts, cross-site scripting (XSS), bypassing authentication, virtual host brute-forcing, and more!

The significance of Host header?

The Host request header specifies the host and port number of the server to which the request is being sent. If no port is included, the default port for the service requested is implied (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL). A Host header field must be sent in all HTTP/1.1 request messages.

Web cache poisoning via the Host header?

Web cache poisoning is an advanced hacking technique through which an attacker can exploit the pattern or behavior of a web cache and server. But before comprehending what is web cache poisoning, we should understand web cache and its vulnerabilities.

Conclusion

A lot of developers trust the “Host” header and this trust can be leveraged by an attacker. For example if the host header is used to create a password reset link this could be abused by an attacker to steal password reset tokens. The attack is super easy to check for as it only requires changing a single variable. If the attack is successful it could be leveraged to compromise user accounts by stealing their password reset tokens, resetting their password, and logging into their account.


إرسال تعليق

Post a Comment (0)

أحدث أقدم