I am a beginner in security and reading about the host header injection. I tested an application for this vulnerability and it is possible there for some request but developer implemented no-cache, no-store flags and this vulnerability is not in password reset request.
So first thing is there will not be cache poisoning. and the second is it is not happening in password reset request.
As I understand that for exploiting this vulnerability, I changed that host header. So I want to know why will It be a vulnerability, why a user will change Host of the application? and how an attacker can exploit it?
Host Header Injection
4.9k Views Asked by Pawan Dwivedee At
1
There are 1 best solutions below
Related Questions in HTTP-HEADERS
- Actionbar sherlock items not showing up
- Conflict appcompat with sherlock library
- Removing Sherlock Actionbar library Theme not found
- PreferenceFragment buttons (Preference) not enable but CheckBoxPreference work
- ABS to AppCompat
- Sherlock dialog fragment not displaying on devices with android v4+
- Use Custom View as Actionbar Icon
- android - add actionbarsherlock to project already refer to appcompat_v7
- onMenuItemClick doesn't get called
- Slide Menu without ActionBarDrawerToggle
Related Questions in PENETRATION-TESTING
- Actionbar sherlock items not showing up
- Conflict appcompat with sherlock library
- Removing Sherlock Actionbar library Theme not found
- PreferenceFragment buttons (Preference) not enable but CheckBoxPreference work
- ABS to AppCompat
- Sherlock dialog fragment not displaying on devices with android v4+
- Use Custom View as Actionbar Icon
- android - add actionbarsherlock to project already refer to appcompat_v7
- onMenuItemClick doesn't get called
- Slide Menu without ActionBarDrawerToggle
Related Questions in APPLICATION-SECURITY
- Actionbar sherlock items not showing up
- Conflict appcompat with sherlock library
- Removing Sherlock Actionbar library Theme not found
- PreferenceFragment buttons (Preference) not enable but CheckBoxPreference work
- ABS to AppCompat
- Sherlock dialog fragment not displaying on devices with android v4+
- Use Custom View as Actionbar Icon
- android - add actionbarsherlock to project already refer to appcompat_v7
- onMenuItemClick doesn't get called
- Slide Menu without ActionBarDrawerToggle
Related Questions in WEBSECURITY
- Actionbar sherlock items not showing up
- Conflict appcompat with sherlock library
- Removing Sherlock Actionbar library Theme not found
- PreferenceFragment buttons (Preference) not enable but CheckBoxPreference work
- ABS to AppCompat
- Sherlock dialog fragment not displaying on devices with android v4+
- Use Custom View as Actionbar Icon
- android - add actionbarsherlock to project already refer to appcompat_v7
- onMenuItemClick doesn't get called
- Slide Menu without ActionBarDrawerToggle
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
As in all of the cases the client input on the application should be never trusted (in security terms). The
hostheader attribute is also something that can be changed by the client.A typical attack scenario would be for example:
Lets suppose you have an application that you blindly trust the HOST header value and use it in the application without validating it. So you may have the following code in your application, where you load a JS file dynamically (by host name):
In this scenario, whatever the attacker set as the HOST header would be reflected on this JS script load. So the attacker could tamper with this by manipulating the response to load a JS script from another host (potentially malicious). If the application is using any Caching mechanism or CDN and if this request is repeated multiple times, it can be cached by the Caching Proxy. Then, this can be served to other users as well (as it was saved to cache).
Another way of exploiting this is:
Let suppose that the application has a user password reset feature. And the application will send an email to whoever asks for a password reset with a unique token to reset it, like the email below:
Now an attacker can trigger a password reset for a known victim email by tampering the HOST header value to the one of his desire. Then the victim would receive the legitimate email for password reset, yet the URL will be changed to the domain set by the attacker. If the victim would open that link, the password reset token could be leaked to the attacker so it would lead to account takeover.