Before diving into the “Host Header Injection” a few prerequisite should be kept in mind,
let’s get onto “what actually a host header is?”
A simple google search defines “The Host Request Header Specifies the host and port number of the server to which the request is being sent.
If no port is included, the default port for the service requested, 80 for an HTTP URL and 443 for an HTTPS URL.”
According to layman term , host header injection is a web based attack where the attack provide arbitrary host header to the web application. If the server completely trusts the host header and fails to validate properly an attacker can able to use this input to inject payloads to manipulate server-side behavior.
To be secure from host header injection don’t trust the host header and use a whitelist of the allowed host names.
Well testing for the host header injection in very simple you just need to do check that you are able to modify the host header and still reach the target with your request.
The screenshots attached below shows the example that how one can simulate a simple host header injection.
A. Try to pass a random host in the request in burp suite and check in response whether you are able to modify the host or not if you are able to modify the host then maybe that web application is vulnerable to host header injection
B. After knowing that web application is vulnerable to host header injection you should modify the host with attackers host in request and check in response if it gives you 200 OK which means you are able to exploit the host header injection.
C. If you get 400 bad request you can try some bypasses in this case, one of the bypasses is this which shown to you in the screenshot above one must approach adding an additional host and another second host you should put the attacker host and after this you maybe able to bypass.
Below are some glimpses that an attacker can do:-
An attack can cause password reset functionality if host header injection is in that functionality an attack can approach the way of “forget password” and can change the host and if functionality allow attackers domain to create password reset link the attacker can access a token of the user and can reset the password of the user account.
If host header is reflected in response markup without HTML ENCODING. Then attacker can exploit web cache poisoning on the web application and whenever the user visits the web application it will redirect the user to the attacker’s domain.
If the web application is vulnerable to host header injection an attacker can cause open redirection to the other websites which is attacker’s by changing the host the attack can successfully redirect the user to attackers domain.
Blog by: Dark Legend