Join Log in
Score:0
Pamelaxyz avatar Server

Host Header Injection in test lab

de flag
Pamelaxyz

Trying to see if a server (in test lab) is vulnerable to host header injection or not. In second scenario where I insert host header as "www.cow.com", still get 302 Found. Does this mean this is vulnerable to host injection ? If it were not, would I see 404 not found?

Scenario 1:

kali01:~$ curl -v http://10.10.10.10/login.html

* Trying 10.10.10.10:80...

* TCP_NODELAY set

* Connected to 10.10.10.10 (10.10.10.10) port 80 (#0)

> GET /login.html HTTP/1.1

> Host: 10.10.10.10

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 302 Found

< Location: https://10.10.10.10:443/login.html

< Connection: close

< Strict-Transport-Security: max-age=15552000, preload

< X-Frame-Options: DENY

< Content-Length: 0
  1. Scenario 2:

When host header www.cow.com is inserted, I still get 302 Found.

kali01:~$ curl -H "Host:www.cow.com" -v http://10.10.10.10/login.html

* Trying 10.10.10.10:80...

* TCP_NODELAY set

* Connected to 10.10.10.10 (10.10.10.10) port 80 (#0)

> GET /login.html HTTP/1.1

> Host:www.cow.com

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 302 Found

< Location: https://www.cow.com:443/login.html

< Connection: close

< Strict-Transport-Security: max-age=15552000, preload

< X-Frame-Options: DENY

< Content-Length: 0

<

* Closing connection 0
347
0 + 0
Michael Hampton avatar
cz flag
Michael Hampton
It redirected to the web app, didn't it?
0
Reply
Pamelaxyz avatar
de flag
Pamelaxyz
Yes, from curl output it says so. But when I paste that https://www.cow.com:443/login.html, I cant open a web on a browser. I am sure I am missing something or curl output of getting redirection is enough for a web to prove vulnerable?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Yes, the curl output is enough to demonstrate the problem.
0
Reply
ph flag
Gordon Davisson
What happens if you have `curl` connect over https instead of plain http?
0
Reply
Pamelaxyz avatar
de flag
Pamelaxyz
with https, I still see 200 ok. kali01:~$ curl -H "Host:www.crm.com" -v https://10.10.10.10/login.html -k <......> > GET /login.html HTTP/1.1 > Host:www.crm.com > User-Agent: curl/7.67.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Last-Modified: Thu, 23 Sep 2021 15:38:23 GMT < Etag: "614c9f6f.636" < Expires: 0 < Cache-Control: max-age=15552000, must-revalidate
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.