Skip to content

HTTP Host header attacks

Jump to bottom
Alnoman Kamil edited this page Nov 23, 2024 · 12 revisions

Apprentice lab:
Host header authentication bypass

This lab makes an assumption about the privilege level of the user based on the HTTP Host header.
To solve the lab, access the admin panel and delete the user carlos.

  • Solution

    1. Visit /admin endpoint.
    2. Intercept on (using mitmproxy) and reload page.
    3. Notice an HTTP/2 Request is made. Add :authority Header and set it to localhost.
    4. Do the same for delete poor carlos request.

IMPORTANT NOTE:
See discussion as on why :authority pseudo-header is used, instead of Host.

Apprentice lab:
Basic password reset poisoning

This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account.
You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.

  • Solution

    1. Login as wiener:peter.
    2. Do what normally would someone do, if password was lost. Study the flow.
    3. Modify the POST request of /forgot-password by adding a :authority: domain header and changing the username to carlos.
    4. Replay (r) the request and go to logs. A token is received from a different IP. Copy the token and reset the password for carlos.
    5. Login as carlos.

Practitioner lab:
Routing-based SSRF (Pro)

Practitioner lab:
SSRF via flawed request parsing (Pro)

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

Home

Server-side topics:

Client-side topics:

Advanced topics:

Clone this wiki locally