SNMP and HOST Header Injection

How to Test

Initial testing is as simple as supplying another domain (i.e. attacker.com) into the Host header field. It is how the web server processes the header value that dictates the impact. The attack is valid when the web server processes the input to send the request to an attacker-controlled host that resides at the supplied domain, and not to an internal virtual host that resides on the web server.

GET / HTTP/1.1
Host: www.attacker.com
[...]

In the simplest case, this may cause a 302 redirect to the supplied domain.

HTTP/1.1 302 Found
[...]
Location: http://www.attacker.com/login.php

Alternatively, the web server may send the request to the first virtual host on the list.

X-Forwarded Host Header Bypass

In the event that Host header injection is mitigated by checking for invalid input injected via the Host header, you can supply the value to the X-Forwarded-Host header.

GET / HTTP/1.1
Host: www.example.com
X-Forwarded-Host: www.attacker.com
[...]

Potentially producing client-side output such as:

[...]
<link src="http://www.attacker.com/link" />
[...]

Once again, this depends on how the web server processes the header value.

Web Cache Poisoning

Using this technique, an attacker can manipulate a web-cache to serve poisoned content to anyone who requests it. This relies on the ability to poison the caching proxy run by the application itself, CDNs, or other downstream providers. As a result, the victim will have no control over receiving the malicious content when requesting the vulnerable application.

GET / HTTP/1.1
Host: www.attacker.com
[...]

The following will be served from the web cache, when a victim visits the vulnerable application.

[...]
<link src="http://www.attacker.com/link" />
[...]

SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).

References

https://portswigger.net/web-security/host-header
https://0xparth.medium.com/host-header-attack-open-redirection-ae92e8493d8c
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/

Active Scanning

Consists of

Gathering Host Information

Gather Identity Information

Gather Network Information

Gather Org Information

Open Technical Infomation

References

What is OSINT?

Tools

Shodan

Huntr

HackerOne

Maltego

Recon-ng Framework

Ahmia.fi

Wayback Machine

theHarvester

TinEye

OSINT Framework

FFUF Tool

Lepus Tool

tomnomnom tools in Rengine

theFuzz (formerly known as fuzzywuzzy)

Lepus

CNAME Records

NMAP

MASSCAN: Mass IP port scanner

Naabu (in Rengine)

Rengine

Cross-origin resource sharing (CORS)

Password Reset Vulnerability

SNMP and HOST Header Injection

Clickjacking via IFRAME

Access Controls and Parameter Tampering

Burp Proxy Histroy for endpoint discovery

Arjun for hidden end point discovery

CSRF Discovery/Detection

SSRF Parameter Detection/Discovery

XSS and SSTI Discovery/Detection

Rate Limits

Directory Brute-Force

HTTP Request Smuggling

Open Redirect via WaybackURLs

Social-SignOn Bypass

Possible DOS vial multiple Cookies injection

File Upload via CSRF, XSS, SSRF, RCE, LFI, XXE

Buffer Overflow

AMASS (in Rengine?)

Nuclei (in Regine)

GoSpider

gau (get all urls)

Nikto

SNMP and HOST Header Injection

How to Test

X-Forwarded Host Header Bypass

Web Cache Poisoning

References