29Haz
Exploiting HTTP redirect function via the Host header
I am testing a web application and found a redirect function which seems to be insecure. If I visit a non-existing page, then I am getting redirected to login page of application. However the redirect function can be exploited by setting custom Host header:
GET /temp/temp/nonexisting HTTP/1.1
Host: www.someevilsite.com
The server the responds with:
HTTP/1.1 302 Found
...
location: www.someevilsite.com/login
And simply redirects me to evil page. If it is possible to forge a remote user's Host header, and make him click a custom URL, then the user can be redirected to evil page, and potentially get his password stolen.
However, I can't seem to come up with a scenario in which I can compromise user's Host header. Are there any ways to manipulate user's Host header, considering website is over HTTPs?
