I am a beginner in security and reading about the host header injection. I tested an application for this vulnerability and it is possible there for some request but developer implemented no-cache, no-store flags and this vulnerability is not in password reset request.
So first thing is there will not be cache poisoning. and the second is it is not happening in password reset request.
As I understand that for exploiting this vulnerability, I changed that host header. So I want to know why will It be a vulnerability, why a user will change Host of the application? and how an attacker can exploit it?
Host Header Injection
4.9k Views Asked by Pawan Dwivedee At
1
There are 1 best solutions below
Related Questions in HTTP-HEADERS
- Disable Expect: 100 Continue in Play
- Data in mysql is set to 0 when send a POST using network tab, codeigniter
- Create HTTP GET Header Request
- write a parsed response from a json file in a div
- Adding HTTP Header to AJAX get request
- Play Framework: How to Add a Header to Every Response
- Can servers use http headers order to catch a browser signature?
- how use data like that to send request from windows phone
- CURL to POSTMAN
- How to get content from another website using JQ or JS
- Python, Flask: How to set response header for all responses
- Best practice for indicating a client side refresh/warning from server side
- Gather Client Domain from Rails API GET Request
- How to remove HTTP Server "Apache"?
- AngularJS header authorization format in Interceptor
Related Questions in PENETRATION-TESTING
- DVWA database connection is not working
- Penetration testing - It is recommended that access to this portal is prevented via the Internet
- Difference between Dynamic Code Analysis and Penetration Testing?
- Use App Scripts to open form and make a selection
- Nessus No host data is available for this scan error
- Using USB security dongle of an appliance in VM machine
- Enable stack canaries in ios swift
- How to receive SQL syntax error using SQL injection?
- Programming/Hacking
- how to ping guest xp from host ubuntu in virtualbox?
- wireshark i want to sniff on local ip
- AWS ALB Host Header Attack
- How to mount /system or / in a rooted device
- IBM AppScan identified a password parameter that was received in the query string meaning
- OWASP Zap scan option is grayed-out for multi-selected URLs
Related Questions in APPLICATION-SECURITY
- Web application security testing
- XML External Entity Injection: Hp Fortify issue in java 1.6
- x-up-calling-line-id header field is not available from new chrome browser update
- How does Stripe know my secret key is leaked?
- Security of sending sensitive intent extras within my own app?
- Is location.hash vulnerable to DOM XSS in jQuery selector when combined with other selectors
- security related to directories
- What are the disadvantages of a Docker container using the host network?
- Alternatives to dotfuscator suite?
- How secure is Oauth 2.0 Implicit Grant?
- Certificate Pinning on .NET
- Upload Trivy result.json file to DefectDojo
- Sending Anti-CSRF token in header is a good practice?
- Host Header Injection
- Missing projects information from the OWASP Secure Coding Practices
Related Questions in WEBSECURITY
- Asp.Net Mvc4 WebSecurity How to activate or deactivate a user account
- Is PHPIDS enough for securing my website?
- JS posts data with special characters in the request payload to service layer, do we need to escape?
- Helmet Content Security Policy Global Path not working
- Do these .env GET requests from localhost indicate an attack?
- Why is hard coding username password security threat in php?
- How to make a self running file?
- Private authentication algorithm - web security
- get 403 forbiden when do ajax call on submit event in codeigniter 4
- What are recommended / minimum parameters for hashlib.scrypt?
- SSL, how to forward the link of to website to SSL included version?
- How does HttpOnly cookie protect against XSS/Injection attack if they are passed automatically with every request?
- How do I find malware in my Wordpress Directory?
- How to disable same origin policy Internet Explorer
- Do browsers really block external content?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
As in all of the cases the client input on the application should be never trusted (in security terms). The
hostheader attribute is also something that can be changed by the client.A typical attack scenario would be for example:
Lets suppose you have an application that you blindly trust the HOST header value and use it in the application without validating it. So you may have the following code in your application, where you load a JS file dynamically (by host name):
In this scenario, whatever the attacker set as the HOST header would be reflected on this JS script load. So the attacker could tamper with this by manipulating the response to load a JS script from another host (potentially malicious). If the application is using any Caching mechanism or CDN and if this request is repeated multiple times, it can be cached by the Caching Proxy. Then, this can be served to other users as well (as it was saved to cache).
Another way of exploiting this is:
Let suppose that the application has a user password reset feature. And the application will send an email to whoever asks for a password reset with a unique token to reset it, like the email below:
Now an attacker can trigger a password reset for a known victim email by tampering the HOST header value to the one of his desire. Then the victim would receive the legitimate email for password reset, yet the URL will be changed to the domain set by the attacker. If the victim would open that link, the password reset token could be leaked to the attacker so it would lead to account takeover.