Uncovering Host Header Injection Vulnerabilities in 5 Apex Domain Hosts

Hello everyone,

My name is Matin, a dedicated bug hunter and security researcher. I’m excited to present to you my inaugural write-up, where I delve into the fascinating world of discovering vulnerabilities. In this piece, we’ll explore a significant finding — a host header injection vulnerability I uncovered in 5 apex domain hosts.

Introduction:

As a bug hunter, my journey involves navigating the intricate web of code to uncover potential vulnerabilities that could compromise the security of web applications. Recently, I stumbled upon a noteworthy discovery — a host header injection vulnerability present in the apex domains of five prominent hosts.

Understanding Host Header Injection: Before delving into the specifics of the vulnerabilities found, let’s establish a clear understanding of host header injection. This type of vulnerability occurs when an attacker manipulates the host header in an HTTP request to trick the server into accepting a different domain. This can lead to various security risks, such as session fixation and cookie theft.

Let's Start Hunting

Step one :

after a wild recon, I’m Searching active domain on httpx on this command

cat sub.txt|httpx --status-code --title -td

after navigation on many URL find 5 domains to redirection example.com

now let's get checking and capturing Request on the first domain :

we found 2 request {308,307}on first domain for redirection on apex domain, but we have 308 status code withe first request no lest get try host header injection on this request .

We can see this request redirect Clint on another part lets follow this:

lest try for host header injection, maybe it's working 🤨

no we dont have any redirection we give 404 status code 😒 so never give up lest try back and testing first request 😈

good new we have 301 status code:) lets follow

follow and continue :

and boom 💥we are rediret on bing.com

ok but we have another domain like this request see my target rediction flow on this picture 👇:

note: first checking any testing redirection on your scope program for resolving on your report :)

and finally, we have 5 Host header Injection vulnerability on 5 different domains.

Conclusion:

This write-up serves not only to share my discovery with the security community but also to raise awareness about the importance of robust web application security. As we continue to navigate the digital landscape, collaboration between security researchers and organizations becomes crucial to fortifying our online defenses.

Stay tuned for updates on the resolution of these vulnerabilities. Your feedback and insights are highly appreciated as we collectively strive to create a more secure online environment.

Wait for this story to just begin 😈

Happy hacking responsibly!

Best regards, Matin