Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] #659 : Add Host Header Manipulation Test #37

Merged
merged 1 commit into from
Nov 1, 2023
Merged

[fix] #659 : Add Host Header Manipulation Test #37

merged 1 commit into from
Nov 1, 2023

Conversation

adarsh-jha-dev
Copy link

Description

Closes #659

This pull request addresses Issue #659, which involves the addition of a new security test for Host Header Manipulation. The test checks whether an attacker can create or update an entity using this method, and it focuses on specific requirements:

🎯 Requirements:

  • Filters: Applicable to APIs with GET query parameters or JSON body parameters.

  • Execution: The test adds or replaces values in HTTP headers:

    • Host: localhost if the Host header exists, or adds it as a new value.
    • Host: 127.0.0.1 if the Host header exists, or adds it as a new value.
    • X-Forwarded-For: evil-website.com
    • X-Forwarded-Host: evil-website.com
    • X-Client-IP: evil-website.com
    • X-Remote-IP: evil-website.com
    • X-Remote-Addr: evil-website.com
    • X-Host: evil-website.com

  • Validation: If the application responds with an exception trace or error response strings, it is considered a vulnerability.

The new test is structured and designed to verify security against Host Header Manipulation in various scenarios. It aligns with the objectives of Issue #659.

Please review this PR and provide feedback or merge it as appropriate.

@adarsh-jha-dev
Copy link
Author

I request any of the maintainers to please have a look at this PR and merge it if found relevant

@ankush-jain-akto ankush-jain-akto changed the base branch from master to hacktoberfest November 1, 2023 03:16
@ankush-jain-akto ankush-jain-akto merged commit 91f3716 into akto-api-security:hacktoberfest Nov 1, 2023
@adarsh-jha-dev
Copy link
Author

adarsh-jha-dev commented Nov 1, 2023
edited
Loading

Thanks a lot @ankush-jain-akto , will this PR count towards my hacktoberfest swags/prizes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

⛏️ Write a test to check whether we can create/update an object with Host Header Manipulation
2 participants
@adarsh-jha-dev @ankush-jain-akto