IRCCloud: Host Header is not validated resulting in Open Redirect

ID H1:7357
Type hackerone
Reporter anshuman_bh
Modified 2014-04-24T09:52:31


Please see the attached screenshot where I am sending a request to with an invalid HOST header and I am getting redirected to that domain. This is because the HOST header is not validated to ensure that the request is originating from that target host or not. The above links mention 2 different ways to exploit this issue: 1. web-cache poisoning and/or 2. Using alternate channels like password reset emails.

For the first way, it can be exploited by poisoning a cache with the attacker's domain and then serving that poisoned response to legitimate users, causing them to redirect to the attacker's domain. This attack kind of varies depending on different web servers as they interpret duplicate Host headers in different ways. The attack vectors are very well explained in the above blogs so I don't want to re-iterate them here again.

For the second way, I verified that the password reset functionality on the IRC Cloud website does not retrieve the Host header when sending emails. But, validating the Host header is always a good practice.