Unvalidated redirect via Host Header

Note the URL does not end with a trailing / to try and force a redirect, assuming the assets directory exists on the application. Change www.example.com to the attackers website and note the redirect in the Location header. Sometimes partial restrictions are set and may therefore be tested both via HTTPS and HTTP protocol.

Original:

GET /assets HTTP/1.1
Host: www.example.com

Edited:

GET /assets HTTP/1.1
Host: www.evil.com

Internal Disclosures via HTTP/1.0

Internal IP disclosures or Internal Host Names can reveal other entities on the local network to gain additional information about the internal infrastructure

On some websites, the request below may reveal an IP address in the Location header or exposing potential headers that usually do not appear in general requests. Send the following request without a Host header. In Burp, make sure it's set to HTTP/1.1 and not HTTP/2 or burp will change it to HTTP/2 by its own. Try both HTTP and HTTPS. As long as it's towards a 3xx redirect endpoint, it should be fine!

GET /assets HTTP/1.0

Sometimes the target website is not self hosted and is hosted on Amazon Web Services. Therefore an AWS instance might show up!

Cyber Notes

Unvalidated redirect via Host Header

Internal Disclosures via HTTP/1.0