Host header injection to open redirect and cache poisoning on Hackerone target(frontegg)

Hi

I Found a host header injection on a Hackerone target frontegg which lead to open redirect and cache poisoning

let’s start

Target:portal.au.frontegg.com

Open burpsuite and capture the first request

It redirect to us to portal.au.frontegg.com

now change the host

You can see that now the location parameter change in response after changing in request

Follow redirection 2 times and You will get this

Now you get the 200ok in response

you will redirect to bing.com and by this way you can also steal cookies and sensitive information into attacker website and if you try it more many times it will become cache poisoning and you don’t need to try host header attack again and again it will automatically redirect to attacker site

Thank you !!