Host Header Attacks

Possible attack vectors

Check for flawed validation

GET /example HTTP/1.1
Host: vulnerable-website.com:bad-stuff-here

GET /example HTTP/1.1
Host: hacked-subdomain.vulnerable-website.com

Send ambigious requests

GET /example HTTP/1.1
Host: vulnerable-website.com
Host: bad-stuff-here

GET https://vulnerable-website.com/ HTTP/1.1
Host: bad-stuff-here

GET /example HTTP/1.1
    Host: bad-stuff-here
Host: vulnerable-website.com

Potential Headers to inject

X-Forwarded-Host
X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded

Lab: Basic password reset poisoning

First, we will trigger the password reset.

After studying the flow, we realised that if we change the Hostvalue, the URL in the email will change accordingly.

So we just need to change the Hostvalue to the exploit server and the username to carlos

We should be able to see the token value in the access log

We can change the password using the token we got for carlos.

Lab: Web cache poisoning via ambiguous requests

Update the exploit server to contain this:

Spam this request to keep the cache poisoned

GET / HTTP/1.1
Host: 0a050077043c31dd8287d963008d0098.h1-web-security-academy.net
Host: exploit-0a0d00fd040631148212d870011f008a.exploit-server.net
Cookie: session=jx2LtgUZo0GKyG9zrEj8Jpv4SDuS96ne; _lab=46%7cMCwCFCWKYOMiN9h4hN%2f2sChivdG1k6BGAhQzCpPcFYVQr7Dx%2fflN%2fSh3aoCVlsWnyZDLQVqg961MTjr4ahB%2fCAlT9CW%2bNCRdSm7KrpODkeX23vqTnXLtJ0yRntTVloa7nJR5Yzu4pXYFi7Xpq2oFMSLzyN3aLTxftSWTOtH6FKduDHcfl2c%3d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive

Lab: Host header authentication bypass

Change the value of Hostto localhost to access the admin panel

After which, change the path to delete carlos

First, we will try to see does it send anything to the collaborator

We can see that it does send to the collaborator

So, the next step we need to see which IP address is able to access the admin page.

By using intruder, we will replace the value in the Hostheader with the IP addresses.

We also need to ensure that the Update Host header to match target is not checked.

After running the intruder, we can see that got 1 IP address that returns a 302 status code.

After modifying the request, we are able to visit the admin panel

If we try to modify the Hostheader directly, we will get blocked.

If we put an abosolute URL in the request, we can see that the request goes through as per normal.

So, we will try to put our collaborator payload into the Hostheader

We can see that the request went through, this means that the checks is being done on the URL instead.

Same as the previous lab, change the value in the Hostheader to be a IP address and use intruder to scan through all of it. Need to uncheck the Update Host header to match target

After running the scan, we can see that the IP address that returns a status code of 302 is 50

After modifying the request to go /admin, we can see the admin panel

Lastly, to delete carlos, just need to send this modified POST request

Lab: Host validation bypass via connection state attack

If we change the Hostheader to 192.168.0.1and the route to /admin, we can see that we are being redirected

What we can do is send 1 legitimate request and 1 malicious request using the same connection

We can see that the 2nd request is able to see the admin panel.

To delete the account, just need to modify the request to delete it and resend the sequence using the same connection