Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Collaborator: What are the exploitability differences between DNS lookups from different headers?

Michael Blake Nov 25, 2017 12:11AM UTC

Looking at the scan logs from Collaborator, I'm seeing medium severity for DNS lookups when the URL is supplied in either X-Forwarded-For or X-Wap-Profile, but red when it's caused by the Host header. I'm trying to understand why they are of different severity. In both instances, the server is performing a DNS request. Is it because the Host header isn't meant to be changed, so the server might be thinking it's an internal host rather than a client IP? Even then, I don't see how it can be exploited any differently.


James Kettle Nov 27, 2017 09:48AM UTC Support Center agent

Hi Michael,

The DNS lookup itself is not the vulnerability; it’s simply evidence of a potentially dangerous behaviour. Lookups from different headers indicate different potential vulnerabilities. For example, a lookup on the X-Forwarded-For header indicates a potential IP spoofing vulnerability, whereas a lookup on the Host header can signify SSRF which is typically much more serious. You can find further information in the scanner issue description, and in my whitepaper at http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html

Cheers,

James


Post Your public answer

Your name
Your email address
Answer