I am a beginner in security and reading about the host header injection. I tested an application for this vulnerability and it is possible there for some request but developer implemented no-cache, no-store flags and this vulnerability is not in password reset request.
So first thing is there will not be cache poisoning. and the second is it is not happening in password reset request.
As I understand that for exploiting this vulnerability, I changed that host header. So I want to know why will It be a vulnerability, why a user will change Host of the application? and how an attacker can exploit it?
Host Header Injection
4.9k Views Asked by Pawan Dwivedee At
1
There are 1 best solutions below
Related Questions in HTTP-HEADERS
- Difficulty Accessing HTTP URLs/IP Addresses Due to Browser Redirecting to HTTPS: Seeking Solutions
- Put Request throwing 401 [no body] Unauthorized
- Postman HeaderList remote function not working
- HTTP/2 POST requests with compressed responses failing ERR_HTTP2_PROTOCOL_ERROR 200 (OK)
- axios post request keeps on pending in browser (works fine in postman)
- How to rewrite the name of a backend header with nginx as a forward or reverse proxy?
- Netfilter Module to Log HTTP Headers
- Download a file from pre-signed url from s3 using Angular
- HTTP 431 error on Azure App Service with AAD access for some users
- How do I format a date for an HTTP header in gleam?
- HTTP headers with two CSP
- X-Forwarded-For in the request-ip package potential bug
- Custom Header from Network Request not being retrieved with fetch API
- How are white-listed domains actually enforced by some of the big API providers?
- SOAP Client Python zeep Does not pass the specified headers parameters
Related Questions in PENETRATION-TESTING
- X-FRAME-OPTIONS header missing on step1.html of Keycloak
- How do I access an iOS app's SQLite database?
- Can Ettercap capture API requests made in Postman?
- Make AWS default security groups limit all inbound and outbound traffic
- How to resolve API Mass Assignment in web method having single parameter?
- Mobile Pen-Testing approach for chatbox functionality
- Struggling with "API - Mass Assignment" Challenge on Root-Me: Seeking Insights
- Issue in installing apk file in rooted device ( INSTALL_PARSE_FAILED_NO_CERTIFICATES )
- filesystem.py is unable to be read even though the file exists and my user has all permissions for the file (sqlmap)
- How to perform Source Code Scanning on a code that is using RSA Key Container
- Python request.get function returning 404 on all directories even valid ones
- Anti debugging protection for React Native App
- SQLMAP - POST parameter 'password' does not seem to be injectable
- Laravel warning on penetration with owasp zap
- Is there any way to run the React Native app on Android while making android:exported as "false" in AndroidManifest.xml file without an error?
Related Questions in APPLICATION-SECURITY
- How does Fortify calculates the "estimated remediation effort" score?
- Null Initialization Vector Used (iOS) - React Native
- Authenticated Web App Scanning in Nessus using HTTP login form and HTTP cookies import issues
- Content-Security Header throwing me error
- Secure restapi calls for Springboot application from angular hosted in nginx
- Is the full XML schema of the context file documented somewhere?
- Flutter how to check if a debugger is attached to the application
- Is location.hash vulnerable to DOM XSS in jQuery selector when combined with other selectors
- How does Stripe know my secret key is leaked?
- x-up-calling-line-id header field is not available from new chrome browser update
- Sending Anti-CSRF token in header is a good practice?
- Upload Trivy result.json file to DefectDojo
- Terraform: how to implement Application Security Groups in Azure RM
- How to prevent SQL injection and improve security on REST APIs?
- What would happen if my iOS distribution certificate is compromised?
Related Questions in WEBSECURITY
- Requesting a help for validating metrics to compare web application security testing tools
- Securing Token Authentication in Laravel 10 with Separate Vue 3 Client
- KrakenD as a Proxy for Nginx Frontend
- HTTPs port restriction
- Comparing Security: Custom Login Page vs. AWS Hosted Callback with Cognito User Pools in React Applications
- How to (semi) securely embed iframes?
- Configuring Essential Security Headers for Your Website
- Struggling with "API - Mass Assignment" Challenge on Root-Me: Seeking Insights
- Is it safe to rely on Content-Disposition header to download user generated html?
- Is it possible for someone to somehow turn off being redirected from a PHP webpage to another?
- How to properly implement CSRF to Spring Boot?
- Can more than one user be logged in React web app in the same browser at the same time using JWT (Each user will need to unlock using their PIN )?
- How to make CSP allow domains dynamically added by custom widgets
- How to stop password reset link being leaked to third party sites
- I have to bring a photo from my desktop to my web page but i am facing problems?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
As in all of the cases the client input on the application should be never trusted (in security terms). The
hostheader attribute is also something that can be changed by the client.A typical attack scenario would be for example:
Lets suppose you have an application that you blindly trust the HOST header value and use it in the application without validating it. So you may have the following code in your application, where you load a JS file dynamically (by host name):
In this scenario, whatever the attacker set as the HOST header would be reflected on this JS script load. So the attacker could tamper with this by manipulating the response to load a JS script from another host (potentially malicious). If the application is using any Caching mechanism or CDN and if this request is repeated multiple times, it can be cached by the Caching Proxy. Then, this can be served to other users as well (as it was saved to cache).
Another way of exploiting this is:
Let suppose that the application has a user password reset feature. And the application will send an email to whoever asks for a password reset with a unique token to reset it, like the email below:
Now an attacker can trigger a password reset for a known victim email by tampering the HOST header value to the one of his desire. Then the victim would receive the legitimate email for password reset, yet the URL will be changed to the domain set by the attacker. If the victim would open that link, the password reset token could be leaked to the attacker so it would lead to account takeover.