The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application. Each web application hosted on the same IP address is commonly referred to as a virtual host. So what constitutes a host header attack?
What happens if we specify an invalid Host Header? Most web servers are configured to pass the unrecognized host header to the first virtual host in the list. Therefore, it’s possible to send requests with arbitrary host headers to the first virtual host.
By using this attack, we can check whether the host is properly validated or not?
Below is the example site where I’ve found this vulnerability. I have specified the rank and severity of this vulnerability, which is high.
Vulnerable URL: https://openedx.microsoft.com/
Vulnerability: Host Header Attack
Owasp rank: A6 (Security Misconfiguration)
Steps to Reproduce the Vulnerability:
First, go to the URL of https://openedx.microsoft.com/
Later intercept the response of the particular URL using Burp suite Proxy Tool
Spider the host to get the 302-redirect page and intercept the request with Burp suite
Here I have changed the hostname from openedx.microsoft.com to bing.com in response the location is changed to https://bing.com
I have also enclosed the POC for your reference,
Target host is openedx.microsoft.com
Here I have changed the target host of openedx.microsoft.com to bing.com
Later I captured the Burp suite response and opened it in a browser, the page gets redirected to the 404 response page of bing.com
Thank you for viewing this blog and this is my first blog if you feel any clarifications regarding this blog please let me know