Hey everyone, This Side Sidharth Today topic about host header vulnerability. Firstly, I am explaining background concept about host header vulnerability, and I give you practical demonstration about host header injection. so, stay tuned with my blog.
- What is Host Header Vulnerability
→ Host Header Injection The HTTP host header is a request header that specifies the domain that a client (browser) wants to access. This header is necessary because it is pretty standard for servers to host websites and applications at the same IP address. However, they don’t automatically know where to direct the request.
GET /web-security HTTP/1.1 → 200 ok
Host: admin.com
GET /web-security HTTP/1.1
Host: bing.com → 200 Ok
2. How to find this vulnerability
→ So, considering our target is xyz.com, first I tried to find some subdomain of xyz.com after getting some sub
domain . I started some bugs like xss ,crlf injection, sql injection, but I didn’t find anything. After getting some time, I thought let’s hunt for their contact from . First I tried rate limit, but they applied it on their page .
then i tried xss with an add extra header but this also not worked then i think let’s remove xss payload from extra header and i send request and what i will redirected on my extra header
x-forwarded-for : bing.com
3. The impact of Host header injection?
→ A successful host header injection could result in web cache poisoning, password reset poisoning, access to internal hosts, cross-site scripting (XSS), bypassing authentication, virtual host brute-forcing, and more!
The significance of Host header?
The Host request header specifies the host and port number of the server to which the request is being sent. If no port is included, the default port for the service requested is implied (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL). A Host header field must be sent in all HTTP/1.1 request messages.
Web cache poisoning via the Host header?
Web cache poisoning is an advanced hacking technique through which an attacker can exploit the pattern or behavior of a web cache and server. But before comprehending what is web cache poisoning, we should understand web cache and its vulnerabilities.
let's brief hunt process in short term.
- choose your target ex: - xyz.com
- from main website extract subdomain then, choose less popular site
- and spider the host by burpsuite
- For this vulnerability check status code (2xx,3xx) means 200,201,202,301,302,303 etc.
- if host: - sub.xyz.com change to bing.com.
- if it redirects to bing.com it’s vulnerable site
- else you try adding x-forwarded-for: bing.com.
- # xss through host header vulnerability
- 1.if bing.com reflet to output it will be xss
Although, thanks for reading article — kidnapshadow✨🔥✌
If you want to follow then, follow me on Instagram medium and twitter….
Blogger: — https://kidnapshadow.blogspot.com/
Twitter: — https://twitter.com/kidnapshadow_kd
Medium: — https://medium.com/@UCpLuQFT-R3zA_bLi...
GitHub: — https://github.com/kidnapshadow-sidha... subscribe on YouTube.
Post a Comment