| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | HTTP Host Header Attacks |
| Difficulty | Apprentice |
| Objective | Access the admin panel and delete the user carlos by abusing Host header-based access control |
Host Header Authentication Bypass¶
Navigating to /admin was blocked immediately:
"Admin interface only available to local users." The server is doing an origin check, and given the lab type, the obvious guess is that it's trusting the Host header to determine whether the request is local — a check that collapses the moment you lie about where the request is coming from. Intercepting the request to /admin and swapping the Host to localhost:
GET /admin HTTP/2
Host: localhost
Admin panel loaded. The server accepted the request as if it came from the loopback interface. The Host header is client-controlled — using it as a security boundary instead of checking the actual source IP or enforcing access at the network layer means any attacker with a proxy can bypass it in one step.
Deleting carlos using the same spoofed header:
GET /admin/delete?username=carlos HTTP/2
Host: localhost
302 redirect — following it with the spoofed header in place and carlos was gone.
Lab solved :P