In simple terms if a website x.com is requested and when i change the host to y.com , if I am able to open the host . Than it is a host header attack.
Vulnerability Description:
Open Redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.
How to find this Vulnerability
1. Change host to x.com, Than click on go . If not able to success . than try below method.
2. Change host to x.com and Set X-Forwarded-Host to original domain.com, if still unable to get success , try the below one
3. Do the opposite to step two , Means change host to original domain.com and Set X-Forwarded-Host to original x.com
If you are unable to find success with the above written steps , Than may be the website is secured for this vulnerability.
Remediation:
If possible, the application should avoid incorporating
user-controllable data into redirection targets. In many cases, this
behavior can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for
redirection. Instead of passing the target URL as a parameter to the
redirector, pass an index into this list.
Example of a Bug Reported:
Vulnerable URL:
https://wakatime.com/settings/account?apikeyrefresh=true
Payload: " X-Forwarded-Host: bing.com "
How to reproduce this vulnerability:
- Open this URL " https://wakatime.com/settings/account?apikeyrefresh=true " and send it to the repeater in burp suite.
- add the payload to the header request and forward the request.
- It will directly redirect to bing.com
Impact
Impact:
Whenever a user visits this URL, it will redirect them to site.com. It is used in phishing attacks.
Posts
