Host header authentication bypass | Portswigger Lab
HTTP Host header attacks | walkthrough
Lab Description: This lab makes an assumption about the privilege level of the user based on the HTTP Host header.
To solve the lab, access the admin panel and delete Carlos’s account.
*At first I reviewed ‘source-code’ and ‘bruteforce directory’ but nothing interesting here.
*Then I find ‘robots.txt’ and find disallow ‘/admin’.
*After visiting ‘/admin’ I got a message “Admin interface only available to local users”. It means the Admin page only can access local users.
*After intercept the ‘/admin’ request and response in Burpsuite repeater, then I see “401 Unauthorized”.
*Then I try to edit request and add “X-Forwarded-For: localhost” but it’s not working.
*Then I change the “Host” to “Host: localhost” and I accessed the admin panel .
*After accessing the admin I found 2 users here. The Lab was I have to delete the ‘Carlos’ user.
*I found a path in response for deleting the user ‘Carlos’.
*Using this path I successfully delete the user ‘Carlos’ and its follow redirection to the admin panel.
*After redirecting the Admin page the Lab was solved successful .
