If I go to the http site e.g. http://www.example.com
the site will redirect (code 301) to the https version https://www.example.com
.
On various pentests I observed that if I modify the Host header in the http request the Location header in the response (of the redirect 301 response) would use that value for the redirect. For example
GET / HTTP/1.1
Host: www.example.com --> www.gulu.com
HTTP/1.1 301
Location: https://www.example.com --> https://www.gulu.com
(the tcp frames destination ip is of course still the original one in the request above) This is a vulnerability as the server uses the unvalidated Host headers value.
But how could someone realistically leverage that vulnerability for exploitation e.g. redirect a victim to a malicious website? I couldn't come up with a scenario where I would be realistically able to manipulate the host header of a victim's request (only man in the middle, I guess could work) or make the victim click on a link that would perform such a manipulation.
Does someone have some insight into this?