Lab: Host header authentication bypass

APPRENTICE

This lab makes an assumption about the privilege level of the user based on the HTTP Host header.

To solve the lab, access the admin panel and delete Carlos's account.

Access the lab

Solution

Send the GET / request that received a 200 response to Burp Repeater. Notice that you can change the Host header to an arbitrary value and still successfully access the home page.
Browse to /robots.txt and observe that there is an admin panel at /admin.
Try and browse to /admin. You do not have access, but notice the error message, which reveals that the panel can be accessed by local users.
Send the GET /admin request to Burp Repeater.
In Burp Repeater, change the Host header to localhost and send the request. Observe that you have now successfully accessed the admin panel, which provides the option to delete different users.
Change the request line to GET /admin/delete?username=carlos and send the request to delete Carlos and solve the lab.

Community solutions

Michael Sommer

Want to track your progress and have a more personalized learning experience? (It's free!)

Sign up Login

In this topic

HTTP Host header attacks Exploiting HTTP Host header vulnerabilities Password reset poisoning

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here