Vulnerability Host ...
 
Notifications
Clear all

Vulnerability Host Header Incjetion on Carbonio Zextras Login page.

3 Posts
3 Users
0 Reactions
344 Views
(@filipenido)
Joined: 10 years ago
Posts: 2
Topic starter  

Hey guys,

The pentest team reported host header injection and ssrf vulnerabilities on my Carbonio Zextras login page, how can I correct this entry to mitigate the application vulnerability?

Through burp I confirmed the redirection by manipulating the field.

Thanks for your help.

Regards.


   
Quote
(@stefanodavid)
Joined: 3 years ago
Posts: 227
 

Hi @filipenido thanks for the report, I will forward this information to our QA team. Can you perhaps share some more details, not on the forum but sending an email to documentation@zextras.com? Thank you!


   
ReplyQuote
(@sigtrap)
Joined: 1 year ago
Posts: 38
 

Posted by: @filipenido

The pentest team reported host header injection and ssrf vulnerabilities on my Carbonio Zextras login page, how can I correct this entry to mitigate the application vulnerability?

Through burp I confirmed the redirection by manipulating the field.

So you inject headers and forge requests with a man in the middle attack? If you break the TLS, you can do more than just host header injection and SSRF. What are the consequences for this vulnerability compared of all the other stuff you can do running the man in the middle attack? Why not just change everything and inject some java script at the same time?

//Sigtrap

 


   
ReplyQuote