Host Header Injection Attack | Authentication Bypass

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if a web application does not properly validate the host header value in the http request then it might be vulnerable to http host header injection attacks during this video we look at a simple scenario where an attacker injects a malicious payload into the http host header to bypass application access control to perform administrative actions without having valid admin credentials for the purpose of this video we use a lab from web security academy called host header authentication bypass and you can find the link to this lab in the video description to solve this lab we need to access the admin panel and then delete user colors alright let's get started by clicking on access to lab from the lab description we know the application has an admin panel but we don't know the url for accessing this panel let's see if we can find any information about the admin panel url from the robots.txt file so we go to the address bar and add slash robots.txt at the end of the url and submit the new url looking at the contents of robots.txt file we can see the slash admin directory which should be the url for the admin panel now let's see if we can access the admin panel by directly browsing to it first we turn on the burp intercept then we go to the address bar and add a slash admin at the end of the application homepage url and submit the request in burp we see the http get request for accessing the admin panel let's forward this request the application returns 401 http response code indicating the lack of valid authentication credentials for the requested page in the browser we see an interesting message the admin interface is only available to local users so if we could manage to find a way to submit this request as it comes from a local user then we should be able to bypass application access control and get access to admin panel without having valid admin credentials let's go back to the application home page by clicking on home from top right corner of the screen we need to do some experiment with the http requests and closely observe the application behavior to see if we can find a way to modify the http request so that the application assumes the request is submitted by local users make sure the burp intercept is on then either refresh the page or click on home button looking at the http request we notice the host header and its value is the application domain name let's see if the application is vulnerable to host header injection when testing for host header vulnerabilities the first step is to change the host header to a random value to see how the application behaves in burp we go to host header and replace its value with a random invalid domain name then forward the request the application completes the request and returns the contents of the home page even though in http request we change the host header to an unexpected value we could still access the application this is an indication that the web application is probably vulnerable to host header injection attack you might ask this question that why even though the host header was an invalid domain name we could still access the application one of the reasons for such behavior is that some web application servers are configured with the default option which is the application domain name and if they receive an http request that contains a domain name that they don't recognize they would use that default option and provide access to the application now let's see if we can exploit the host header injection vulnerability to get access to the admin panel in the web browser we go to the address bar and add slash admin at the end of the url and submit this url in burp we go to the host header and change its value to localhost then we forward the request we get 200 http response code and the application returns the contents of the admin panel looking at the web browser we see the admin panel and the list of the users since in the http request we change the host header to localhost the application assumed the request was coming from an internal user and as a result provided access to the admin panel so by exploiting a simple host header injection vulnerability we managed to bypass the application access control and get access to the admin panel for the next step we need to delete user colors be sure burp intercept is on and in the web browser we click on delete next to the caller's username in burp we see the request for deleting user callers for obvious reasons if we forward this request as it is the application access control would refuse to perform the requested action and delete user as we are not the admin user so we need to change the host header to localhost to ensure the application assumes the request is coming from the local users let's go ahead and remove the current domain name in host header and replace it with localhost then we forward the request in the web browser we get the message that we solve the lab and by looking at the admin panel we see user callers is deleted successfully in this video we saw a simple scenario where we could exploit host header injection vulnerability to bypass application access control and perform sensitive admin actions without having valid admin credentials if you enjoyed watching this video please give it a like and also be sure to subscribe to the channel as i upload new videos every week
Info
Channel: TraceTheCode
Views: 23,768
Rating: undefined out of 5
Keywords:
Id: o_EzcZMnAyU
Channel Id: undefined
Length: 6min 6sec (366 seconds)
Published: Thu Apr 07 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.