Today we're going to talk about the host injection vulnerability. If you were invited to a private program, I advise you to start with this attack, as it is common and easy to discover .So let's start the fun, guys.
What is host header injection attack?
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior.
The use of the host header is especially common in PHP web applications, however, it’s certainly not a problem endemic to PHP web applications. The PHP script in the following example is a typical and dangerous use of the host header.
<script src="http://<?php echo _SERVER['HOST'] ?>/script.js">
An attacker can potentially manipulate the code above to produce the following HTML output just by manipulating the host header.
The two major attack vectors host header attacks enable are web-cache poisoning, and abuses of alternative channels for conducting sensitive operations, such as password resets.
How could I find Host header injection in reset password ?
1-i create account then active it
2-go to reset password and intercept request using burp suite then send request to repeater
3-change host to evil.com then go
4-go to your email and copy reset password link
5- website is vulnerable i reported a bug after hours it was accepted.
Mitigating against host header is simple — don’t trust the host header. However in some cases, this is easier said than done (especially situations involving legacy code). If you must use the host header as a mechanism for identifying the location of the web server, it’s highly advised to make use of a whitelist of allowed hostnames.
Don’t forget to follow me, I have more stories waiting for you, friend, to tell you