Host header injection reset password

Today we're going to talk about the host injection vulnerability. If you were invited to a private program, I advise you to start with this attack, as it is common and easy to discover .So let's start the fun, guys.

HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior.

The use of the host header is especially common in PHP web applications, however, it’s certainly not a problem endemic to PHP web applications. The PHP script in the following example is a typical and dangerous use of the host header.

<script src="http://<?php echo _SERVER['HOST'] ?>/script.js">

An attacker can potentially manipulate the code above to produce the following HTML output just by manipulating the host header.

<script src="http://attacker.com/script.js">

The two major attack vectors host header attacks enable are web-cache poisoning, and abuses of alternative channels for conducting sensitive operations, such as password resets.

1-i create account then active it

2-go to reset password and intercept request using burp suite then send request to repeater

3-change host to evil.com then go

4-go to your email and copy reset password link

5- website is vulnerable i reported a bug after hours it was accepted.

happy hacking

Mitigation

Mitigating against host header is simple — don’t trust the host header. However in some cases, this is easier said than done (especially situations involving legacy code). If you must use the host header as a mechanism for identifying the location of the web server, it’s highly advised to make use of a whitelist of allowed hostnames.

share this stories with your friends

Don’t forget to follow me, I have more stories waiting for you, friend, to tell you

Bye

Security Researcher | Bug Bounty Hunter