Testing for Vulnerability

Test Objectives

Assess if the Host header is being parsed dynamically in the application.
Bypass security controls that rely on the header.

How to Test

Supply an arbitrary Host Header

GET / HTTP/1.1
Host: www.attacker.com

Check for flawed validation (Bypass)

# Supplying non numeric port number

GET /example HTTP/1.1
Host: vulnerable-website.com:bad-stuff-here

# Registering a domain that matches the same sequence of characters

GET /example HTTP/1.1
Host: notvulnerable-website.com

# Already compromised subdomain

GET /example HTTP/1.1
Host: hacked-subdomain.vulnerable-website.com

Send ambiguous requests

# Inject duplicate Host headers

GET /example HTTP/1.1
Host: vulnerable-website.com
Host: bad-stuff-here

# Supply an absolute URL

GET https://vulnerable-website.com/ HTTP/1.1
Host: bad-stuff-here

# Add line wrapping

GET /example HTTP/1.1
    Host: bad-stuff-here
Host: vulnerable-website.com

Other Techniques

This is just a small sample of the many possible ways to issue harmful, ambiguous requests. For example, you can also adapt many HTTP request smuggling techniques to construct Host header attacks.

Inject host override headers

# Using X-Forwarded-Host to inject malicious input

GET /example HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: bad-stuff-here

# Similar types of headers


    X-Host
    X-Forwarded-Server
    X-HTTP-Host-Override
    Forwarded

In Burp Suite, you can use the Param Miner extension's "Guess headers" function to automatically probe for supported headers using its extensive built-in wordlist.

REFERENCES

PreviousHost Header Attacks NextPassword Reset Poisoning

Last updated 1 year ago

Was this helpful?

Test Objectives

How to Test

Send ambiguous requests

Inject host override headers

REFERENCES