Lab: Host validation bypass via connection state attack

PRACTITIONER

This lab is vulnerable to routing-based SSRF via the Host header. Although the front-end server may initially appear to perform robust validation of the Host header, it makes assumptions about all requests on a connection based on the first request it receives.

To solve the lab, exploit this behavior to access an internal admin panel located at 192.168.0.1/admin, then delete the user carlos.

Note

Solving this lab requires features first released in Burp Suite 2022.8.1.

This lab is based on real-world vulnerabilities discovered by PortSwigger Research. For more details, check out Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling.

Access the lab

Solution

Send the GET / request to Burp Repeater.
Make the following adjustments:
- Change the path to /admin.
- Change Host header to 192.168.0.1.
Send the request. Observe that you are simply redirected to the homepage.
Duplicate the tab, then add both tabs to a new group.
Select the first tab and make the following adjustments:
- Change the path back to /.
- Change the Host header back to YOUR-LAB-ID.h1-web-security-academy.net.
Using the drop-down menu next to the Send button, change the send mode to Send group in sequence (single connection).
Change the Connection header to keep-alive.
Send the sequence and check the responses. Observe that the second request has successfully accessed the admin panel.
Study the response and observe that the admin panel contains an HTML form for deleting a given user. Make a note of the following details:
- The action attribute (/admin/delete)
- The name of the input (username)
- The csrf token.
On the second tab in your group, use these details to replicate the request that would be issued when submitting the form. The result should look something like this:
POST /admin/delete HTTP/1.1 Host: 192.168.0.1 Cookie: _lab=YOUR-LAB-COOKIE; session=YOUR-SESSION-COOKIE Content-Type: x-www-form-urlencoded Content-Length: CORRECT csrf=YOUR-CSRF-TOKEN&username=carlos
Send the requests in sequence down a single connection to solve the lab.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

HTTP Host header attacks Exploiting HTTP Host header vulnerabilities Password reset poisoning

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here

Lab: Host validation bypass via connection state attack

Note

Solution

In this topic

All topics

Find HTTP Host header vulnerabilities using Burp Suite

Register for free to track your learning progress