0

I want to inject the collaborator payload in the HTTP Host header (HTTP Host header injection).

GET / HTTP/1.1
Host: payload.collaborator.net

The Host header is used to reach the targeted webserver and fetch the vhost or any backend component, right? But if that's the case, how does my payload even reach the vulnerable website? The host header now consists of the payload which is basically the domain for the collaborator server.

Which concept comes into play here?

PasWei
  • 722
  • 3
  • 14
Just.a.tech
  • 1
  • 1

1 Answers1

1

The Host header is used to reach the targeted webserver and fetch the vhost or any backend component, right?

Incorrect, the Host header is part of the HTTP request that is sent to a webserver. HTTP is a higher-layer protocol, whereas the webserver is reached on the IP level, on its IP address.

Web servers can be configured to serve websites on multiple domain names, thus would be accepting different Host headers. It should drop or reject requests with unknown Host headers, since otherwise any domain could be pointed towards the webserver and content would be served.

Injecting a Burp Collaborator URL in the Host header can be used to detect certain vulnerabilities. It is unlikely the webserver will send a request to the URL in the Host header (if it did, you would have found a SSRF vulnerability). It is more likely that the Host header is used unsafely. For instance, in some badly configured webservers, it would be possible to do a password reset injection.

Wouter
  • 397
  • 1
  • 12
  • regarding the last paragraph, what if we take this scenario, intercept a request made to vulnerable site through burp -> send to repeater -> change the host header to collaborator payload -> sending request Will that request go through the vulnerable site? or directly ping the collaborator server? because in order for it to be vulnerable to SSRF, the target application should be making the request. – Just.a.tech Aug 10 '22 at 15:34
  • The request will go through the vulnerable site. The Host header is not used for routing, it is just a header specifying which host it is connecting to. The packet as a whole is sent to the IP address of the vulnerable server. Indeed, for SSRF, the vulnerable server should make a request towards the address in the Host header. That is why I mentioned this as "unlikely". – Wouter Aug 10 '22 at 15:37
  • The Host header can be used by the webserver to determine which vhost/application is addressed. A single webserver can serve multiple websites to multiple hostnames, and since the packet will be addressed to the IP address of the server, the Host header is required for the webserver to determine the correct destination. – Wouter Aug 10 '22 at 15:39