Host header authentication bypass | Dec 28, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Host header authentication bypass! Without further ado, let’s dive in.

This lab makes an assumption about the privilege level of the user based on the HTTP Host header.

To solve the lab, access the admin panel and delete Carlos’s account.

Home page:

Let’s go to the admin panel(/admin):

it’s only available to local users.

In the lab’s background, it said:

This lab makes an assumption about the privilege level of the user based on the HTTP Host header.

Hmm… What if I intercept the GET request to /admin, and then modify the Host header to localhost?

Let’s forward that request:

Oh! I can access to the admin panel!

Let’s delete user carlos!

Nice!