.png)
2 months ago
28 BOOK THIS SPACE FOR AD
ARTICLE AD$500 worth of Host Header Injection
Hey Everyone!
I’ve discovered another vulnerability on a bug bounty platform, and I’m excited to share the details with you. Let’s dive right in and explore the process!
What is Host Header Injection?
Host header injection is a web security vulnerability that occurs when an attacker manipulates the “Host” header in an HTTP request to a web server. This header is part of the HTTP protocol and is used to specify the target domain or host to which the request should be sent. Host header injection attacks typically target websites that rely on the “Host” header to determine the virtual host or website to serve.
Manipulating the Host Header: In a typical HTTP request, the “Host” header specifies the domain name or IP address of the server the client wants to communicate with. For example:
GET /page HTTP/1.1Host: www.example.com
An attacker with the ability to control or influence the “Host” header can change it to a different domain, potentially one they control:
GET /page HTTP/1.1Host: malicious.com
How Can You Exploit This Vulnerability:
Obviously, it’s not that easy to obtain $500 from anyone. Host Header Injection is considered an informational or P5 severity vulnerability, unless you can demonstrate a significant impact, such as an account takeover using the ‘forgot password’ functionality or other chained vulnerabilities like Web Cache Poisoning.
Request:
Xss via Host Header injection:
Initially, I captured the “change password” request and sent it to the Repeater for testing. I tried almost every type of test case on the request, and finally, I changed the Host to “evil.com.” I observed that the host was reflected in the response.
Boommmm !! Host Header Injection !!!!
It’s just a P5 right ??
Suddenly My Hacker Brain got Activated. I Read a lot of Blogs Regarding Host Header Injection to P1. I Just Added XSS Payload at the End of the “evil.com”
After seeing the Response I am Like WTF..
Actually it worked and I can see a Beautiful XSS Popup in the Response
I Reported this to the Security Team, Next day I Got a mail with 500$ Bounty.
Happy Hunting!!!!
My LinkedIn: https://www.linkedin.com/in/ramthullaguduru
Bengali (Bangladesh) · 
English (United States) ·