Testing for Vulnerability

Test Objectives

  • Assess if the Host header is being parsed dynamically in the application.

  • Bypass security controls that rely on the header.

How to Test

  • Supply an arbitrary Host Header

GET / HTTP/1.1
Host: www.attacker.com

  • Check for flawed validation (Bypass)

# Supplying non numeric port number

GET /example HTTP/1.1
Host: vulnerable-website.com:bad-stuff-here
# Registering a domain that matches the same sequence of characters

GET /example HTTP/1.1
Host: notvulnerable-website.com
# Already compromised subdomain

GET /example HTTP/1.1
Host: hacked-subdomain.vulnerable-website.com

  • Send ambiguous requests

# Inject duplicate Host headers

GET /example HTTP/1.1
Host: vulnerable-website.com
Host: bad-stuff-here
# Supply an absolute URL

GET https://vulnerable-website.com/ HTTP/1.1
Host: bad-stuff-here
# Add line wrapping

GET /example HTTP/1.1
    Host: bad-stuff-here
Host: vulnerable-website.com

Other Techniques

This is just a small sample of the many possible ways to issue harmful, ambiguous requests. For example, you can also adapt many HTTP request smuggling techniques to construct Host header attacks.

  • Inject host override headers

# Using X-Forwarded-Host to inject malicious input

GET /example HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: bad-stuff-here
# Similar types of headers


    X-Host
    X-Forwarded-Server
    X-HTTP-Host-Override
    Forwarded

In Burp Suite, you can use the Param Miner extension's "Guess headers" function to automatically probe for supported headers using its extensive built-in wordlist.

REFERENCES

PreviousHost Header AttacksNextPassword Reset Poisoning

Last updated