XSS Via X-Forwarded-Host

Let’s understand, what is the X-Forwarded-Host header?

The HTTP X-Forwarded-Host header is a request-type header de-facto standard header. This header is used to identify the original request made by the client. Because the hostnames and the ports differ in the reverse proxies at that time this header took the lead and identify the original request. This header can also be used for debugging, creating location-based content. So this header kept the privacy of the client. The root version of this header is HTTP Forwarded.

LET’S ATTACK!!

So I went to the webpage "https://www.omise.co/" captured the request in Intercept and sent the request to Repeater, and added

X-Forwarded-Host: bing.com

and checked whether the bing.com is reflected anywhere in the response or not.

As you can see in the above image, it was refecting on the sign-in button. So I decided to add an XSS payload after X-Forwarded-Host: bing.com

After adding XSS payload:

X-Forwarded-Host: bing.com”><img src/onerror=prompt(document.cookie)>

I checked wheater it was still reflecting or not?

As you can see in the above image XSS payload was refecting on the sign-in button.

When I sent this request to the browser, BOOM!!

The JavaScript alert box displayed some cookie information as shown in the image given below.

Reference:

https://hackerone.com/reports/1392935