Different host header injection worth 2k
Hello guy’s i hope you’re doing great in this story i will be covering beautiful/challenging host header injection.
So the story goes like when i was new to bug bounty i was very curious one night i was trying to sleep i got the notification that let’s call it redacted program is now public as we know when someone is new to this field their is a strange excitement i fired up kali and began testing.
In this post i won’t be covering the basics of what host header injection is if you don’t know i would suggest you to google it thank you.
So in some few minutes i found this vulnerability called host header injection i reported but deep down i was getting feeling that this will be a dupe but lucky me when i woke up in the morning they already had fixed it and awarded me 1000$ bounty as it was my first 4 digit bounty but the story doesn’t seem to end here.
So i began to retest the same functionality i noticed that they are still accepting the user input as i don’t know why but their was a surprise they were not accepting anything like evil.com or something like this but only some few symbols that were # and ? but i noticed anything after ? for example
Host: redacted.com?anythin<b>imran</b>
It was getting reflected in the email so i thought let’s try <a href> tag in the host header
So the final payload that successfully erased the original host with the one given was
Host: redacted.com?"><a href='evil.com
Reported the bypass got rewarded again with some extra bonus this time.
I hope you guy’s have liked it sorry for any mistakes as this one is my first writeup.
Thank you