caon.io
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Host Header Injection

Typically host header injection are not harmful by themselves, it is necessary a chain of vulnerabilites for it to escalate.

  • Business Logic flaws
  • Cache poisoning

Attack Vectors

Premise: An websites allows an user to remember his passwords by requesting a reset email. Attack vector: An attacker request the reset for an email that the knows the application exists, he intercepts the request and adds a host X-Forwarded-For: evil.com

If the attack is successful, the user will receive an email that will direct to evil.com

Headi 

# https://github.com/mlcsec/headi
headi -url http://exmaple.com

Common Headers

https://gist.github.com/felipecaon/313a6fb6f1c5273bd61169fba920016f

# Fake Origin - make GET request to accesible endpoint with:
X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin
Referer: /admin
gdoc_arrow_left_alt Deserialization IDOR gdoc_arrow_right_alt