[WEB SECURITY] HOST header exploitation
Bil Corry
bil at corry.biz
Mon Apr 27 12:24:49 EDT 2009
Matt Hellman wrote on 4/26/2009 8:57 PM:
> I have an application that is vulnerable to HOST header manipulation.
> In this case, it's an issue with the authentication framework that
> eventually appends a session ID to a redirect based on the HOST header.
> To exploit this weakness, how might an attacker get a victim to submit a
> request with a crafted HOST header? XHR? Flash? Java?
DNS is one way -- the attacker could setup a domain under their control with wildcard DNS to resolve all requests to the target site's IP address, then direct a victim's browser to it using the attacker's domain (with the payload embedded in it). Of course, if the vulnerability requires the target site's TLD or something non-resolvable via DNS, then you'd have to use a different method.
- Bil
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list