⛏️ Write a test to check whether we can create/update an object with Host Header Manipulation #659
Description
💭 Introduction:
We want a test to check whether an attacker can create/update entity with Host Header Manipulation
🎯 Requirements:
-
Filters - API with GET query parameter or JSON body parameter
-
Execute - It should add or replace a value with
- host = localhost in HTTP headers if Host header exists, or add new value
- host = 127.0.0.1 in HTTP headers if Host header exists, or add new value
- X-Forwarded-For: evil-website.com
- X-Forwarded-Host: evil-website.com
- X-Client-IP: evil-website.com
- X-Remote-IP: evil-website.com
- X-Remote-Addr: evil-website.com
- X-Host: evil-website.com
- Validation - If the application responds with a exception trace or error response strings, it is a vulnerability.
✅ Task summary:
- Ask to be assigned to the issue.
- Wait to be assigned. We will try to assign in less than 2 hours.
- Signup for [Akto]
- Fork the [tests-library] repository, create a new branch and commit the yaml file which will be called in your test.
- Submit both the PR here.
📚 Reading
You can find a detailed documentation of test editor rules [here]
Find 100+ examples of YAML tests [here]
🙋🏼♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our [Discord server].