# Host header authentication bypass

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FiZ1XuzxkBRWW2KqpnSXq%2Fimage.png?alt=media&#x26;token=5ab73f18-74c0-4759-90e3-e25a4134d430" alt=""><figcaption></figcaption></figure></div>

## <mark style="color:red;">Exploitation :</mark>&#x20;

after browsing the website let's check robots.txt if there is any interesting endpoints

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FQ0My2JTFCq6vTZRNmRqa%2Fimage.png?alt=media&#x26;token=85b22b22-8577-42dc-97a4-693b52168b47" alt=""><figcaption></figcaption></figure></div>

let's navigate to `/admin`

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FRlysLyo9456LNL4NP17f%2Fimage.png?alt=media&#x26;token=7199c2c3-7df8-4c78-beb4-571125811f9f" alt=""><figcaption></figcaption></figure></div>

what if we changed the `Host` header to <mark style="color:blue;">**localhost**</mark> ? can we become a `local user` if we came from localhost ? let's try it out

first let's open burp and intercept the request to `/admin`

if we send the request we get <mark style="color:red;">**401 Unauthorized**</mark>

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FTnxs1U48i0xWLNeBVAMX%2Fimage.png?alt=media&#x26;token=20a84358-3c95-4fbf-b992-7a69a086b599" alt=""><figcaption></figcaption></figure></div>

let change the `Host` header to **localhost** to make the server think that we are local users and it worked we recieved 200 OK that means that we are <mark style="color:green;">**authorized**</mark>

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FEuXkB6J12AKrczXLNTyT%2Fimage.png?alt=media&#x26;token=0bd76ceb-805f-4ef7-9a9f-85b3c94c2f31" alt=""><figcaption></figcaption></figure></div>

now send this request to delete the user carlos (you can find this link in the reponse we get from /admin in an \<a> tag)

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2F5jtvydhJx07oGoPvpMt8%2Fimage.png?alt=media&#x26;token=97e7a48f-2481-4bb7-84a5-1474796c049f" alt=""><figcaption></figcaption></figure></div>

and the challenge is solved

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2Fi8MWFe14kixVW57w9Pte%2Fimage.png?alt=media&#x26;token=bd4e8a48-6f8b-4788-92a8-3c84f7dfdb44" alt=""><figcaption></figcaption></figure></div>

hope you found this walkthrough easy to understand and follow

Greeting From [<mark style="color:red;">**Sayonara**</mark>](https://github.com/ismail-arame)