Categoría: HTTP Host header attacks

Web cache poisoning via ambiguous requests

Descripción This lab is vulnerable to web cache poisoning due to discrepancies in how the cache and the back-end application handle ambiguous requests. An unsuspecting user regularly visits the site’s home page. To solve the lab, poison the cache so the home page executes alert(document.cookie) in the victim’s browser. Web cache poisoning via ambiguous requests writeup Entraremos […]

Host validation bypass via connection state attack

Descripción This lab is vulnerable to routing-based SSRF via the Host header. Although the front-end server may initially appear to perform robust validation of the Host header, it makes assumptions about all requests on a connection based on the first request it receives. To solve the lab, exploit this behavior to access an internal admin […]

SSRF via flawed request parsing

Descripción This lab is vulnerable to routing-based SSRF due to its flawed parsing of the request’s intended host. You can exploit this to access an insecure intranet admin panel located at an internal IP address. To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete the user carlos. SSRF via flawed request […]

Routing-based SSRF

Descripción This lab is vulnerable to routing-based SSRF via the Host header. You can exploit this to access an insecure intranet admin panel located on an internal IP address. To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete the user carlos. Routing-based SSRF writeup A diferencia del laboratorio anterior (Host header […]

Host header authentication bypass

Descripción This lab makes an assumption about the privilege level of the user based on the HTTP Host header. To solve the lab, access the admin panel and delete the user carlos. Host header authentication bypass writeup Entraremos en el laboratorio y buscarmos información sobre dónde está el panel de administrador. Esta infomación la encontraremos en […]

Basic password reset poisoning

Descripción This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos’s account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client […]