Uncovering Host Header Injection Vulnerabilities in 5 Apex Domain Hosts Part Two how to chain

Javroot
7 min readMar 14, 2024

--

hey guys 👋, mat in here on new write-UP let’s go for how to chain host header injection XD

HTTP Host header attacks

1. Password reset poisoning :

is a term used in cybersecurity to describe a type of attack where an attacker manipulates the password reset process of a system or service to gain unauthorized access or control.

In a password reset poisoning attack, the attacker typically exploits vulnerabilities or weaknesses in the password reset mechanism to trick the system into accepting a new password chosen by the attacker. This can involve various techniques such as intercepting password reset requests, manipulating parameters or tokens involved in the reset process, or exploiting flaws in the authentication flow.

By successfully poisoning the password reset process, the attacker can gain access to user accounts, escalate privileges, or even take control of the entire system, depending on the level of access gained and the security measures in place.

To mitigate the risk of password reset poisoning attacks, organizations should implement robust security measures such as multi-factor authentication, secure token generation and validation, encryption of sensitive data, and regular security audits to identify and patch vulnerabilities in the password reset mechanism.

IF you need more info and access lab, go to the portswigger:
https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning

2.Web cache poisoning

So, what exactly is web cache poisoning? Well, imagine this: when you visit a website, your browser often stores certain elements of that site, like images or scripts, in its cache to speed up future visits. Now, imagine if a malicious actor could manipulate what gets stored in that cache. That’s essentially what web cache poisoning is all about.

In simpler terms, it’s like a hacker sneaking into your browser’s memory and swapping out the legitimate content with their own malicious payload. Scary, right?

But how does it work? One common method involves injecting malicious code into HTTP requests or responses that pass through intermediary caching servers. These servers then unwittingly store the poisoned content, which can later be served to unsuspecting users, spreading the attack further.

The implications of web cache poisoning can be severe. It can lead to the spread of malware, theft of sensitive information, or even complete compromise of a web application or server.

So, how can we defend against such a sneaky attack? Well, awareness is key. Website owners and developers should be vigilant in monitoring their systems for signs of cache poisoning attempts. Additionally, implementing secure coding practices, regularly updating software, and configuring caching servers properly can help mitigate the risk.

this vulnerability lab in here :
https://portswigger.net/web-security/host-header/exploiting/lab-host-header-web-cache-poisoning-via-ambiguous-requests

3. Unveiling Classic Server-Side Vulnerabilities: An Exploration

Classic server-side vulnerabilities encompass a range of weaknesses that can be exploited by attackers to gain unauthorized access, manipulate data, or disrupt services on a server.

Think of it like finding a hidden backdoor into a building — except in this case, it’s a digital doorway into a server’s inner workings.

These vulnerabilities come in various forms, from buffer overflows and SQL injection to directory traversal and remote code execution. Each presents its own unique set of risks and challenges for system administrators and developers.

But why are these vulnerabilities still relevant today, you might ask? Well, despite advances in security technology and awareness, many servers still run outdated software or have poorly configured settings, leaving them susceptible to exploitation.

And make no mistake — the consequences of a successful exploit can be severe. It could lead to the compromise of sensitive data, the infiltration of malware, or even the complete shutdown of a critical system.

So, how can we defend against these classic server-side vulnerabilities? It starts with awareness. System administrators and developers need to stay informed about the latest security threats and best practices for mitigating risks.

Regular software updates, robust access controls, and thorough code reviews are also essential components of a comprehensive security strategy.

4. Host header authentication bypass

So, how does it work? Well, it all starts with the humble HTTP request header. This little snippet of metadata tells the server important details about the incoming request, including the hostname of the site being accessed.

Now, imagine if a hacker could manipulate that hostname to trick the server into thinking they’re accessing a different site — one that doesn’t require authentication. That’s where host header injection comes into play.

By injecting a malicious hostname into the HTTP request header, an attacker can potentially bypass authentication checks and gain unauthorized access to restricted areas of a website or application.

But why does this work? It all comes down to how web servers handle incoming requests. In some cases, servers may prioritize the hostname specified in the HTTP request header over other sources of information, such as the actual domain name entered by the user.

This means that if an attacker can craft a malicious HTTP request with a spoofed hostname, they may be able to fool the server into granting them access without proper authentication.

The implications of host header injection can be serious. It could allow an attacker to access sensitive data, perform unauthorized actions, or even take control of the entire server, depending on the level of access gained.

So, how can we defend against this type of attack? Well, it starts with secure coding practices and robust input validation. Developers should carefully sanitize and validate all incoming request headers to ensure they’re not being manipulated by attackers.

Additionally, web servers and applications should be configured to prioritize trusted sources of hostname information and reject requests with suspicious or unexpected headers.

lab:
https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

5. Routing-Based SSRF Attacks

At its core, it’s a technique where an attacker crafts malicious requests in a way that tricks the server into making internal requests to unintended destinations. This can often lead to the exploitation of vulnerable services or systems within a network that are not meant to be directly accessible from the internet.

The key to routing-based SSRF lies in understanding how the target server handles routing decisions. By exploiting weaknesses in the server’s routing logic, an attacker can redirect requests to internal network resources, such as databases, file systems, or other services.

One common scenario involves manipulating the server’s DNS resolution process. By providing a malicious domain name in the request, an attacker can coerce the server into resolving the domain to an internal IP address, effectively bypassing any network restrictions in place.

Another tactic involves exploiting misconfigured or insecure routing rules within the server’s infrastructure. For example, if the server is configured to trust certain internal IP ranges or subnets, an attacker could craft requests that appear to originate from within those trusted ranges, allowing them to access internal resources.

The consequences of a successful routing-based SSRF attack can be severe. It could lead to the unauthorized access of sensitive data, the compromise of critical systems, or even the complete takeover of the server itself.

So, how can we defend against routing-based SSRF attacks? Firstly, it’s crucial to implement strict input validation and sanitization measures to prevent attackers from injecting malicious payloads into requests. Additionally, server configurations should be reviewed and hardened to ensure that routing rules are secure and properly enforced.

Network segmentation and access controls can also help limit the impact of SSRF attacks by restricting the routes that server requests are allowed to take.

In conclusion, routing-based SSRF attacks represent a sophisticated and potent threat to server security. By understanding how these attacks work and implementing robust defensive measures, we can help protect our systems and data from exploitation.

labs:https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf
—
https://portswigger.net/web-security/host-header/exploiting/lab-host-header-ssrf-via-flawed-request-parsing

Exploit TIME :

ok we found the host header injection but how to exploit ? let’s try sum flow we are get apex domain and find login or forget password link for Password reset poisoning or Host header authentication bypass

Step one : try to login

and now try localhost and send this request : didn't work :(

but one step back and see and get forget password link for Password reset poisoning:

send Forget password and added X-Forwarded-Host on this request :

and now wait for Collab request:

boom we are now request

Reference links : https://portswigger.net/web-security/host-header#what-is-the-http-host-header

In the digital realm, where shadows creep, Stay alert, in cyberspace’s keep. With every click, every share, Stay informed, show you care.

Guard your data, keep it tight, In the web’s labyrinth of light. Stay secure, stay online, In every byte, your safety shines.

Best regards,

Matin 😉

--

--

Javroot
Javroot

Written by Javroot

bug hunter and security researcher

No responses yet