Labs Covered

This write-up focuses on the following APPRENTICE-level labs from the PortSwigger Web Security Academy related to HTTP Host Header Attacks:

1 Basic password reset poisoning

This lab demonstrates how attackers can exploit unsanitized Host headers to poison password reset links sent to users.

2 Host header authentication bypass

This lab shows how manipulating the Host header can be used to bypass access controls or authentication checks.

LAB 1 - Basic password reset poisoning

Lab Description

Solution

First we can see below our exploit sever have email client and access log for looking request come to it

Now we click on forget Password

The above forget Password will redirect us to enter name or email which we want to change Password. I enter wiener which I want change Password

So when I submit wiener and goto email, I can see that that that a forger link to change Password which contain Token And also wiener email which is winer@exploit…………… which backend has send Password change to user

Click on above change Password link and Now we can change Password

Now I have click on forgetPassword and Intercept it to burp

Now send to Reapeter above request to chang host-header to send change Password functionality to attacker site

Now our weiner email is winer@exploit-0aa………………. ,So we have a site which look for request given to exploit-0aa……… website we can also say that it’s attacker website looking for request,Now we change host header website To user controlable website and username to carlos which will give get request to attacker website and have token of carlos which we have to change Password

Now we send above request and we can see that in access log we have get request to our website which contain token of user in our case it was carlos which we want to change Password to solve lab

Now we have look above how do change wiener password and ,Now we copy above url of get which containg carlos token And paste in browser and change Password of carlos