Demystifying Host Header Injection: The Hidden Gems in the Bug Bounty Arsenal
Host Header Injection (HHI) is a type of web vulnerability that is often ignored. But HHI can lead to serious attacks with many different possibilities. It is frequently used by bug bounty hunters. In this vulnerability, the header of the HTTP request is changed to exploit the web application’s trust in the Host header.
As a result, the cyber attacker can carry out attacks like phishing, session hijacking, and cache poisoning. It is important to understand the mechanics, impact, and potential of HHI in the bug bounty area.
What is Host Header Injection (HHI)?
Imagine the internet as a bustling city with skyscrapers representing websites. Each skyscraper has a specific address (domain name) like “example.com.”
Now, when you visit a website, your browser sends a virtual postcard with a “To:” address indicating the specific skyscraper you want to visit. This address is conveyed through an HTTP header called the Host header.
However, things get interesting if a vulnerable website allows you to control this “To:” address. This is where HHI comes in. It occurs when an attacker injects malicious content into the Host header, tricking the server into visiting unintended destinations or manipulating its behavior.
How Does HHI Work?
Imagine inserting “example.com;evil.net” into the Host header when visiting “example.com.” A vulnerable server might misinterpret this, sending your request to both “example.com” and “evil.net.” This opens a pandora’s box of possibilities:
- Content Spoofing: Attackers can serve poisoned content from “evil.net” instead of the legitimate site, leading to phishing attacks or information theft.
- Open Redirects: Malicious redirects to phishing sites can occur if the server trusts the manipulated Host header for redirect decisions.
- Internal Access: Injuring specific subdomains can bypass access controls, offering peeks into internal resources or functionality.
- Resource Exhaustion: Flooding the server with crafted Host headers can lead to denial-of-service attacks.
How to Test Host Header Injection?
To test host header injection vulnerability, one can enter a different domain name (like attacker.com) in the Host header field—the server’s response to this input impact. The attack is successful if the server sends the request to a domain controlled by the attacker instead of an internal virtual host on the server.
GET / HTTP/1.1
Host: www.attacker.com
[…]In the simplest case, this may cause a 302 redirect to the supplied domain.
HTTP/1.1 302 Found
[…]
Location: http://www.attacker.com/login.phpAlternatively, the web server may send the request to the first virtual host on the list.
X-Forwarded Host Header Bypass
If thet Host header injection is mitigated by checking for invalid input injected via the Host header, you can supply the value to the X-Forwarded-Host header.
GET / HTTP/1.1
Host: www.example.com
X-Forwarded-Host: www.attacker.com
[…]Potentially producing client-side output such as:
[…]
< link src="http://www.attacker.com/link" / >
[…]Once again, this depends on how the web server processes the header value.
HHI in the Bug Bounty Game:
The versatility of HHI makes it a powerful tool for bug bounties. Here’s how:
- Low-hanging fruit: HHI vulnerabilities are often overlooked, presenting easy wins for hunters. Even seemingly well-protected sites can fall prey.
- Creative exploits: The diversity of attack vectors allows for imaginative hunting, uncovering unique vulnerabilities often missed by automated scanners.
- High-impact potential: Successful HHI exploitation can lead to critical vulnerabilities like data breaches or account takeovers, earning significant rewards.
You can check here Host Header Injection Bug Bounty Write-ups For Web Security Vulnerability
Tips for Hunting HHI:
- Fuzzing: Tools like Burp Suite can be used to fuzz input fields and identify potential injection points.
- Manual testing: Manually crafting malicious Host headers with different payloads can reveal hidden vulnerabilities.
- Analyzing source code: Reviewing server-side logic can sometimes point toward HHI vulnerabilities.
- Remember: Responsible disclosure is crucial. Always report vulnerabilities ethically and collaborate with developers to ensure proper patching.
Check Burp-Suite Tutorials here
Conclusion:
While often underestimated, Host Header Injection is a potent weapon in the bug bounty hunter’s arsenal. Understanding its mechanics and diverse applications empowers hunters to discover intricate vulnerabilities, unlocking the doors to exciting opportunities and substantial rewards.
So, remember, the next time you visit a website, don’t just focus on the content – think about the “To:” address and the creative chaos you can unleash if it falls into the wrong hands. Happy hunting!
