Host header authentication bypass
This lab makes an assumption about the privilege level of the user based on the HTTP Host header.
GET /request that received a
200response to Burp Repeater. Notice that you can change the Host header to an arbitrary value and still successfully access the home page.
/robots.txtand observe that there is an admin panel at
Try and browse to
/admin. You do not have access, but notice the error message, which reveals that the panel can be accessed by local users.
GET /adminrequest to Burp Repeater.
In Burp Repeater, change the Host header to
localhostand send the request. Observe that you have now successfully accessed the admin panel, which provides the option to delete different users.
Change the request line to
GET /admin/delete?username=carlosand send the request to delete Carlos and solve the lab.
An attacker will need to access the admin panel and delete Carlos’s account.