Hello guys, Hope everyone is good. I would like to share one of my findings.
What is Host Header Injection?
When creating URI for links in web applications, developers often resort to the HTTP Host header available in HTTP request sent by client side. A remote attacker can exploit this by sending a fake header with a domain name under his control allowing him to poison web-cache or password reset emails for example.
How I exploited this vulnerability?
For finding this vulnerabilty, I didn’t take much time what I did is, I just taken a request then replaced the original host name(abc.com) with different host (bing.com)on “Host Header Field”.
The response look somthing like below image, in which i managed to redirect to bing.com. By repeting same step 4 to 5 times I successfully poisioned my web browser cahce. If I type (abc.com) the browser will take me to bing.com home page.
Remediation:-
Mitigating against host header is simple — don’t trust the host header. However, in some cases, this is easier said than done (especially situations involving legacy code). If you must use the host header as a mechanism for identifying the location of the web server, it’s highly advised to make use of a whitelist of allowed hostnames.