Host header authentication bypass

Exploitation :

after browsing the website let's check robots.txt if there is any interesting endpoints

let's navigate to /admin

what if we changed the Host header to localhost ? can we become a local user if we came from localhost ? let's try it out

first let's open burp and intercept the request to /admin

if we send the request we get 401 Unauthorized

let change the Host header to localhost to make the server think that we are local users and it worked we recieved 200 OK that means that we are authorized

now send this request to delete the user carlos (you can find this link in the reponse we get from /admin in an <a> tag)

and the challenge is solved

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousBasic password reset poisoning NextWeb cache poisoning via ambiguous requests

Last updated 1 year ago

Was this helpful?