Home Projects Documentation Press / or click here to open the quicksearch Log in
Please log in to bookmark issues
#2892 – 
Investigating
Bug report
0
Click to toggle a vote for this issue
0
0 + 0
Time tracking started at Paused
Description

Since the application is not validating the headers value, an attacker can inject the “X-Forwarded-Host” header in order to redirect the response to another domain.

How to reproduce
  1. Login to the TBG application with any valid user and perform a search; save it.
  2. Fill out the fields with any value and click on the “Save search” button.
  3. Intercept the request with any proxy tool and add the following header: X- Forwarded-Host: attacker.com.
  4. Click on the “Run to Completion” button to proceed with the request.
  5. As you can see, a 200 OK response was received, proving that it is possible to inject a header in the request.
Attachments0
Toggle system-generated comments Sort comments in opposite direction
zegenie
Jun 27, 2020 (10:53)
Cancel

@thnguyen could you explain in more detail how this attack would work? I understand the description, but I'm unsure about the effect.

Important details
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Times and dates
  • Estimated time No time estimated
People involved
Other details
  • Not determined