Skip to content

Latest commit

 

History

History

Host_header

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
images
images
 
 
README.md
README.md
 
 
default
default
 
 

README.md

Description:

This is a Host-header based SSRF example. In this type of SSRF, any IP/Hostname entered in the host header is parsed by the vulnerable server. The vunerable server ends up routing the request to the specified domain/IP and retrieves the contents, returning them in the HTTP response. This type of misconfiguration can easily be exploited to exfiltrate data from sensitive locations (e.g. Internal locations, AWS metadata, local files, etc.)

This misconfiguration is usually seen in web servers that act like a proxy, such as Squid proxy, Nginx and Apache.

1. Install NGINX web server in Ubuntu machine:

  apt-get install nginx

2. Replace the content of below mentioned file with this NGINX web server Default file:

  /etc/nginx/site-available/default

3. Reload NGINX web server using below mentioned command:

  service nginx reload

4. Server-side request forgery exploitation:

In Burp suite, send request to repeater tab and click Send button:

Now, when we change the value of Host header with some other hostname/IP (192.168.56.104 in this case), web proxy server makes HTTP request to that host and returns HTTP response from that host:

./init 0