Penetration Testing mailing list archives
HOST header manipulation
From: mhellman () taxandfinance com
Date: Thu, 23 Apr 2009 09:16:27 -0500 (CDT)
I'm reviewing the authentication process of a web application. It appears there is a reverse proxy in front of the app that utilizes an auth framework. A request for a URL protected by the reverse proxy results in multiple redirects that eventually return a login form. The original URL is persisted first in the redirect URL and then in a cookie. After authentication, a redirect to the original URL occurs based on the provided cookie value. Let's assume for now that the URL and cookie issues are fixed and the original URL is persisted by some other means (maybe a session...assume this is done right...no fixation or other issues). I digress...here is my question: If the issue is that the reverse proxy will accept any HOST header and persist it through the login such that the final redirect can go anywhere. How might an attacker get a victim to submit a request with a crafted HOST header? XHR? Flash? Java? TIA -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- HOST header manipulation mhellman (Apr 23)
- Re: HOST header manipulation Matt Hellman (Apr 26)