Finding Host header injection
Hello everyone! This is Jody Ritonga, back again with another bug bounty writeup! In this article, I want to tell you about Host Header Injection 101. I will show you some techniques that have been useful to me in my bug bounty journey. Well, technically these techniques are not mine, as I found them in other writeups.
So first of all, let me explain briefly what is host header injection attack, Host header injection attack is a type of security vulnerability that affects web applications that rely on the Host header to determine which website to serve. In a Host header injection attack, an attacker sends a specially crafted HTTP request to a web server that contains a modified Host header. By manipulating the Host header, the attacker can trick the server into serving content from a different website or domain. This can lead to various security issues, such as sensitive data disclosure, authentication bypass, and cross-site scripting (XSS) attacks. Well i hope that explaination can be accepted by all of my reader hehe. but anyway enough definition.
You know what’s really dangerous in the wrong hands? This attack! And as a developer, the key practice to prevent it is validation. It’s crucial to validate the host and ensure that it matches the expected result. Failing to do so can result in numerous vulnerabilities in the security world. So always remember, validate for the sake of your company’s security and coolness
Let’s get into the fun part, shall we? Three months ago, I found a host header injection vulnerability in a subsidiary company’s website that provides cloud gaming services. To maintain confidentiality, let’s refer to it as ‘redacted.com’. Here are the steps I followed to find the bug:
- If you have been a loyal reader of my blog, you must be familiar with the first methodology I use, which is to test the login page for bugs such as no rate limit, HTML injection, or bypass mechanisms. You might wonder why I don’t conduct reconnaissance first. The simple answer is that I want to make money quickly. Although I understand that this mindset may not be the best, we all need money fast. Therefore, I conduct this low-hanging test to check if I can easily make money or not.
- When I was testing those low hanging fruits, I didn’t get anything. Was I sad or did I give up? No! I felt more challenged. After realizing that I couldn’t get easy money, I started looking into every request that I caught on my Burp Suite. I began reading about common bugs that often occur during password resets. This motivated me to keep going and push myself to find more complex vulnerabilities. Sometimes the lack of success can actually be a blessing in disguise, as it forces us to expand our skills and knowledge
- At this time, I didn’t know that there was a vulnerability called ‘Host Header Injection.’ I found a post explaining Host Header Injection in detail, which made my bug hunter senses tingle, thinking ‘Okay, let’s test this out!
4. So i went to burpsuite, intercept the request on forgot password, and i got this response
i use my victim account ritonga1844@gmail.com as a test for host header injection, when i saw this ive tried to change the host like
Host: www.Redacted.cominto
Host: www.evil.comBut it doesnt work, so i try another method, which is look like this
Host: www.bing.com
X-Forwarded-Host: www.Redacted.comAnd after that boom ! When i click the reset password on the email, it leads me to bing.com
And that’s it, guys! That’s how I found Host Header Injection. I hope you can learn something from this, and I strongly suggest that when you are testing a website, always read other people’s writeups. Read the writeup and apply it to your current target. Don’t let duplicates stop you! See you in the next article!
