Different host header injection worth 2k

Hello guy’s i hope you’re doing great in this story i will be covering beautiful/challenging host header injection.

So the story goes like when i was new to bug bounty i was very curious one night i was trying to sleep i got the notification that let’s call it redacted program is now public as we know when someone is new to this field their is a strange excitement i fired up kali and began testing.

In this post i won’t be covering the basics of what host header injection is if you don’t know i would suggest you to google it thank you.

So in some few minutes i found this vulnerability called host header injection i reported but deep down i was getting feeling that this will be a dupe but lucky me when i woke up in the morning they already had fixed it and awarded me 1000$ bounty as it was my first 4 digit bounty but the story doesn’t seem to end here.

So i began to retest the same functionality i noticed that they are still accepting the user input as i don’t know why but their was a surprise they were not accepting anything like evil.com or something like this but only some few symbols that were # and ? but i noticed anything after ? for example

Host: redacted.com?anythin<b>imran</b>

It was getting reflected in the email so i thought let’s try <a href> tag in the host header

So the final payload that successfully erased the original host with the one given was

Host: redacted.com?"><a href='evil.com

Reported the bypass got rewarded again with some extra bonus this time.

I hope you guy’s have liked it sorry for any mistakes as this one is my first writeup.

Thank you