I am a beginner in security and reading about the host header injection. I tested an application for this vulnerability and it is possible there for some request but developer implemented no-cache, no-store flags and this vulnerability is not in password reset request.
So first thing is there will not be cache poisoning. and the second is it is not happening in password reset request.
As I understand that for exploiting this vulnerability, I changed that host header. So I want to know why will It be a vulnerability, why a user will change Host of the application? and how an attacker can exploit it?
Host Header Injection
4.9k Views Asked by Pawan Dwivedee At
1
There are 1 best solutions below
Related Questions in HTTP-HEADERS
- Difficulty Accessing HTTP URLs/IP Addresses Due to Browser Redirecting to HTTPS: Seeking Solutions
- Put Request throwing 401 [no body] Unauthorized
- Postman HeaderList remote function not working
- HTTP/2 POST requests with compressed responses failing ERR_HTTP2_PROTOCOL_ERROR 200 (OK)
- axios post request keeps on pending in browser (works fine in postman)
- How to rewrite the name of a backend header with nginx as a forward or reverse proxy?
- Netfilter Module to Log HTTP Headers
- Download a file from pre-signed url from s3 using Angular
- HTTP 431 error on Azure App Service with AAD access for some users
- How do I format a date for an HTTP header in gleam?
- HTTP headers with two CSP
- X-Forwarded-For in the request-ip package potential bug
- Custom Header from Network Request not being retrieved with fetch API
- How are white-listed domains actually enforced by some of the big API providers?
- SOAP Client Python zeep Does not pass the specified headers parameters
Related Questions in PENETRATION-TESTING
- X-FRAME-OPTIONS header missing on step1.html of Keycloak
- How do I access an iOS app's SQLite database?
- Can Ettercap capture API requests made in Postman?
- Make AWS default security groups limit all inbound and outbound traffic
- How to resolve API Mass Assignment in web method having single parameter?
- Mobile Pen-Testing approach for chatbox functionality
- Struggling with "API - Mass Assignment" Challenge on Root-Me: Seeking Insights
- Issue in installing apk file in rooted device ( INSTALL_PARSE_FAILED_NO_CERTIFICATES )
- filesystem.py is unable to be read even though the file exists and my user has all permissions for the file (sqlmap)
- How to perform Source Code Scanning on a code that is using RSA Key Container
- Python request.get function returning 404 on all directories even valid ones
- Anti debugging protection for React Native App
- SQLMAP - POST parameter 'password' does not seem to be injectable
- Laravel warning on penetration with owasp zap
- Is there any way to run the React Native app on Android while making android:exported as "false" in AndroidManifest.xml file without an error?
Related Questions in APPLICATION-SECURITY
- Web application security testing
- XML External Entity Injection: Hp Fortify issue in java 1.6
- x-up-calling-line-id header field is not available from new chrome browser update
- How does Stripe know my secret key is leaked?
- Security of sending sensitive intent extras within my own app?
- Is location.hash vulnerable to DOM XSS in jQuery selector when combined with other selectors
- security related to directories
- What are the disadvantages of a Docker container using the host network?
- Alternatives to dotfuscator suite?
- How secure is Oauth 2.0 Implicit Grant?
- Certificate Pinning on .NET
- Upload Trivy result.json file to DefectDojo
- Sending Anti-CSRF token in header is a good practice?
- Host Header Injection
- Missing projects information from the OWASP Secure Coding Practices
Related Questions in WEBSECURITY
- Asp.Net Mvc4 WebSecurity How to activate or deactivate a user account
- Is PHPIDS enough for securing my website?
- JS posts data with special characters in the request payload to service layer, do we need to escape?
- Helmet Content Security Policy Global Path not working
- Do these .env GET requests from localhost indicate an attack?
- Why is hard coding username password security threat in php?
- How to make a self running file?
- Private authentication algorithm - web security
- get 403 forbiden when do ajax call on submit event in codeigniter 4
- What are recommended / minimum parameters for hashlib.scrypt?
- SSL, how to forward the link of to website to SSL included version?
- How does HttpOnly cookie protect against XSS/Injection attack if they are passed automatically with every request?
- How do I find malware in my Wordpress Directory?
- How to disable same origin policy Internet Explorer
- Do browsers really block external content?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
As in all of the cases the client input on the application should be never trusted (in security terms). The
hostheader attribute is also something that can be changed by the client.A typical attack scenario would be for example:
Lets suppose you have an application that you blindly trust the HOST header value and use it in the application without validating it. So you may have the following code in your application, where you load a JS file dynamically (by host name):
In this scenario, whatever the attacker set as the HOST header would be reflected on this JS script load. So the attacker could tamper with this by manipulating the response to load a JS script from another host (potentially malicious). If the application is using any Caching mechanism or CDN and if this request is repeated multiple times, it can be cached by the Caching Proxy. Then, this can be served to other users as well (as it was saved to cache).
Another way of exploiting this is:
Let suppose that the application has a user password reset feature. And the application will send an email to whoever asks for a password reset with a unique token to reset it, like the email below:
Now an attacker can trigger a password reset for a known victim email by tampering the HOST header value to the one of his desire. Then the victim would receive the legitimate email for password reset, yet the URL will be changed to the domain set by the attacker. If the victim would open that link, the password reset token could be leaked to the attacker so it would lead to account takeover.