⛏️ Write a test to check whether we can create/update an object with Host Header Manipulation

[arjun-akto]

💭 Introduction:

We want a test to check whether an attacker can create/update entity with Host Header Manipulation

🎯 Requirements:

1. Filters - API with GET query parameter or JSON body parameter

2. Execute - It should add or replace a value with

   • host = localhost in HTTP headers if Host header exists, or add new value
   • host = 127.0.0.1 in HTTP headers if Host header exists, or add new value
   • X-Forwarded-For: evil-website.com
   • X-Forwarded-Host: evil-website.com
   • X-Client-IP: evil-website.com
   • X-Remote-IP: evil-website.com
   • X-Remote-Addr: evil-website.com
   • X-Host: evil-website.com

3. Validation - If the application responds with a exception trace or error response strings, it is a vulnerability.

✅ Task summary:

• [ ] Ask to be assigned to the issue.
• [ ] Wait to be assigned. We will try to assign in less than 2 hours.
• [ ] Signup for [Akto]
• [ ] Fork the [tests-library] repository, create a new branch and commit the yaml file which will be called in your test.
• [ ] Submit both the PR here.

📚 Reading

You can find a detailed documentation of test editor rules [here]

Find 100+ examples of YAML tests [here]

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our [Discord server].

[newton0-0]

Hi @arjun-akto I would like to work on this kindly assign it to me.

[ishanpatil35]

assign to me

[arjun-akto]

Hi @newton0-0 , @ishanpatil35 . I have assigned the issue to you. Please feel free to connect us on our Discord server for any doubts.

[adarsh-jha-dev]

Hi @arjun-akto , can you please assign this issue to me too?

[Nayansagar1326]

Hi @arjun-akto , i would like to work on this , can you please assign it to me.

[arjun-akto]

Hi @Nayansagar1326 , @adarsh-jha-dev. I have assigned the issue to you. Please feel free to connect us on our Discord server for any doubts. Sorry for the late reply!

[parthrc]

Hey @arjun-akto I would like to work on this issue

[arjun-akto]

Hi @parthrc ! I have assigned the issue to you. Please feel free to connect us on our Discord server for any doubts. Sorry for the late reply!

[adarsh-jha-dev]

Hey @arjun-akto , I have raised a PR for this issue, I request you to please have a look at it and let me know if the changes are relevant.

[RaagaAkto]

Hi @adarsh-jha-dev Please fill out this form here so we can send you Akto swags. Will let you know ETA of swags soon, thanks for your contribution! 🚀

[adarsh-jha-dev]

Hi @adarsh-jha-dev Please fill out this form here so we can send you Akto swags. Will let you know ETA of swags soon, thanks for your contribution! 🚀

Thanks a lot, but this form is asking for permission of the owner. Could you please resolve this?

[RaagaAkto]

Hi @adarsh-jha-dev, we've received your details, swags should reach you in a month!