Jump to content

changing header host to view content behind a login


bolus
 Share

Recommended Posts

I've got a page where the content access is restricted by a username/password combination.  It's not credentials where the user has to register for, it's just set on the server where all content is publicly accessible, apart from this page.  I've found that I can access this by changing the header host value (via burp)

Original:

GET /content HTTP/1.1

host: site.com

which returns HTTP 401 authorization required

I change the header details to:

GET /content HTTP/1.1

host: evil.com

then I can access the requested page. I kinda stumbled across this, and would like to learn more about it - any advice as to what this type of vulnerability is called, and why it happens?  I *think* that it's happening due to the validation only working when the request comes from the host domain, but would like confirmation of this.

 

Cheers

Link to comment
Share on other sites

Sounds like they've just messed up their vhost configuration and the authentication is only checking on the site.com vhost but the server returns the same content regardless of whatever vhost is requested.

  • Like 1
Link to comment
Share on other sites

The weirdest one like that I've seen was you could put a . in front of the domain name the requests bypassed authentication, ie https://.hak5.org would bypass things, https://hak5.org would get restricted.

Didn't work with any other messing with the host or domain so I suspect a slightly broken regular expression somewhere but could never prove it.

Link to comment
Share on other sites

Hehe, comes after rule 2 ?......soz my bad, punctuation marks included!

Come on Dig, you know your core defense mech's on input validation.

1. Strip any <script> expressions that appear.
2. Truncate the input to 50 characters.
3. Remove any quotation/punctuation marks within the input.
4. URL-decode the input.
5. If any items were deleted, return to step 1.

Edited by r3plic4tor
Link to comment
Share on other sites

That has absolutely nothing to do with the original question which was about failure to correctly check authenticated.

I would disagree with them even if we were talking about input validation.

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...