XSS via X-Forwarded-Host header (Small Bounty of 150$)

Hello, Hunters. I know You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow this three mantras, you will undoubtedly achieve success.

Summary:

If the server receives a crafted X-Forwarded-Host header, the https://www.xyz.co/ website is vulnerable to a cross-site scripting flaw.

Description:

The server directly reads data from the HTTP request and returns it in the HTTP response. Reflected XSS exploits happen when an attacker convinces a victim to provide dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common way for malicious content to be delivered is to include it as a parameter in a URL that is publicly posted or e-mailed directly to the victim. Many phishing schemes rely on URLs constructed in this manner, in which an attacker convinces a victim to visit a URL that leads to a vulnerable site. The content is executed by the victim’s browser after the site reflects the attacker’s content back to the victim.

Steps To Reproduce: Original Link — https://www.xyz.co/

1. Go to https://www.xyz.co/ and intercept the request.
2. Submit the request to Repeater and include X-Forwarded-Host: bing.com”>img src/onerror=prompt(document.cookie)> below Host: www.xyz.co
3. Then, on the response tab, right-click and select Show response in browser.
4. Paste the link into your browser and you’ll see pop-up messages.
5. Some cookie information is displayed in the JavaScript alert box.

Mitigation: Ignore invalid browser headers. Filter metacharacters from user input.

Impact:

This vulnerability allows attackers to deliver malicious JavaScript to unsuspecting users. Because the user’s browser has no way of knowing the script should not be trusted, it will execute it. Because the browser believes the script came from a trusted source, namely your website, a malicious script can access any cookies, session tokens, or other sensitive information stored by the browser and used with your site. These scripts can even rewrite the HTML page’s content.

Thank you for reading !! hope you get to learn some tricks.

Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
I will ensure you that i will write more interesting and knowledge sharing writeups, to encourage me follow me on medium and click the clap icon.