0

Trying to see if a server (in test lab) is vulnerable to host header injection or not. In second scenario where I insert host header as "www.cow.com", still get 302 Found. Does this mean this is vulnerable to host injection ? If it were not, would I see 404 not found?

Scenario 1:

kali01:~$ curl -v http://10.10.10.10/login.html

* Trying 10.10.10.10:80...

* TCP_NODELAY set

* Connected to 10.10.10.10 (10.10.10.10) port 80 (#0)

> GET /login.html HTTP/1.1

> Host: 10.10.10.10

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 302 Found

< Location: https://10.10.10.10:443/login.html

< Connection: close

< Strict-Transport-Security: max-age=15552000, preload

< X-Frame-Options: DENY

< Content-Length: 0
  1. Scenario 2:

When host header www.cow.com is inserted, I still get 302 Found.

kali01:~$ curl -H "Host:www.cow.com" -v http://10.10.10.10/login.html

* Trying 10.10.10.10:80...

* TCP_NODELAY set

* Connected to 10.10.10.10 (10.10.10.10) port 80 (#0)

> GET /login.html HTTP/1.1

> Host:www.cow.com

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 302 Found

< Location: https://www.cow.com:443/login.html

< Connection: close

< Strict-Transport-Security: max-age=15552000, preload

< X-Frame-Options: DENY

< Content-Length: 0

<

* Closing connection 0
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Pamelaxyz
  • 3
  • 2
  • It redirected to the web app, didn't it? – Michael Hampton Sep 24 '21 at 01:42
  • Yes, from curl output it says so. But when I paste that https://www.cow.com:443/login.html, I cant open a web on a browser. I am sure I am missing something or curl output of getting redirection is enough for a web to prove vulnerable? – Pamelaxyz Sep 24 '21 at 02:06
  • Yes, the curl output is enough to demonstrate the problem. – Michael Hampton Sep 24 '21 at 02:08
  • What happens if you have `curl` connect over https instead of plain http? – Gordon Davisson Sep 24 '21 at 02:24
  • with https, I still see 200 ok. kali01:~$ curl -H "Host:www.crm.com" -v https://10.10.10.10/login.html -k <......> > GET /login.html HTTP/1.1 > Host:www.crm.com > User-Agent: curl/7.67.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Last-Modified: Thu, 23 Sep 2021 15:38:23 GMT < Etag: "614c9f6f.636" < Expires: 0 < Cache-Control: max-age=15552000, must-revalidate – Pamelaxyz Sep 24 '21 at 02:40

0 Answers0