Great stuff thanks Ipp. Another thing I come across fairly frequently is Host headers being reflected in 302 redirect responses, sometimes there is a reflected XSS vector although it can be difficult to actually exploit.
Would be another cool video idea on explaining some tips on how to find the origin IP address for a server behind cloud flare. Like what OSINT sources you can try, etc.
I don't know a way to do that without pointing out sites that incorrectly configured cloudflare. Without spending the money setting up a bunch of examples myself, which I don't really want to do right now. If my channel gets more members, I may consider it in the future.
@@ippsec dude I wish you channel would get more members. I’ve been subbed to you for years and how you don’t have more recognition truly amazes me. I guess the pen testing scene is relatively small but you’re so good at what you do. I genuinely appreciate you keeping your content genuine and not selling out by only doing entry level videos with big named guests and flashy clickbait thumbnails and titles like network chuck and other UA-camrs. You, cyber mentor, and John Hammond are my favorite UA-camrs. I even play your videos some nights when I’m going to bed because cyber security and programming are my favorite things to listen to when going to sleep. 😂
@@ippsec Greetings IppSec, I got a question. How does the backend IP of a website leak if the cloudflare is misconfigured? I mean how would someone setup it correctly to avoid getting his webserver IP?
@@briancarson3052 Make sure that your DNS records are set to "Proxied" instead of "DNS only" to hide your webserver's IP address. Make sure that you have set up firewall rules correctly to block all traffic except traffic coming from Cloudflare IP addresses. Make sure that your SSL certificate is set up correctly and is using the "Full (Strict)" mode. You can use Cloudflare's diagnostic tools to verify that your configuration is correct and that your webserver's IP address is not leaking.
The easiest way to do this is by using Censys and searching for information such as the website's HTML code, title, or any other information that you can use to pinpoint the website. Censys will show you the website's backend IP if it has scanned it in the past. The harder way is to set up your own server that scans the entire internet 24/7, including storing the website response.
Just as a note for cloudflare: You can now publish websites NOT exposed to the internet iirc using their relay agent. Basically your agent connects o cloudflare and then forwards requests. That fixes hat issue.
Hey I am new to this channel and to be frank this video is very hard to follow. I have a lot of backend experience, but as a newcomer to this channel I am new to many tools you are using, but you just glimpse through them. Also as a mobile heavy user I kept zooming in most of the time. Just a couple of tips that might or might not help. Peace ✌🏼
Are there really websites that allow user-defined headers to generate their password reset links? or am i misunderstanding what causes this? that seems beyond insane. what is the motive to design it this way?
You would be surprised. There are a lot of developers out there that don't look at how that variable is created, and just see it when trying to do something. Or copy off a bad stack overflow. I want to say Wordpress was also affected for a long time, you could find tons of examples with a google like: site:hackerone.com Host Header Injection
Howdy Ippsec! What's your opinion on ChatGPT and it's impact on the security industry, if any at all. Do you use it to learn? As a programming aid? Thanks
Hey ippsec, just a question, how would you actually exploit another person with this, as it requires intercepting the request and changing the headers, so isn't this just a self attack?
The idea is that I reset your password with the modified header. Now when you get the email, you click the link, and the token arrives at my server. Now I can reset your password and access your account.
what i came across a few times is that it also is worth checking how it behaves when using the X-Forwarded-Host header. Often links will be crafted by the value provided in this header instead of host-header.
I thought about adding that, but no webserver (PHP/Python/Ruby) that I found would prefer the X-FORWARDED headers without some intentionally created thing, which means the developer really has to go out of their way to do that. So in my opinion, it is an extreme edge case.
As a web designer, developer, solutions architect and security researcher, it seems very strange to me that someone would choose to build a system in a way which uses the host header value to determine what domain to use in the password reset link - rather than using an environment variable or hardcoding it. Is this actually a thing people do? Will keep this in mind to test on my next bug hunt anyhow. Thanks! Great video.
@@ippsec I guess so, but still strikes me as really weird because the kind of developer who would do that surely would be more likely to just hardcode the domain or something instead - since it would take more effort for them to code it to fetch the host header value. And that kind of developer potentially may not even be aware of the host header's existence 🤔
I can see a scenario where the same server code is shared for different applications, or there are private user projects running under subdomains, and there is a built in password reset... somehow. For example, some kind of "make your own forum from template". Then using host header to differentiate between the forums is a solution that comes to mind
To answer your question, yes this is a thing people do. Vulnerabilities resulting from misconfigured CORS work in a similar way and is basically header injection.
You randomly popped up on my youtube feed but here's some constructive criticism: With the way you have your webcam setup or be it your monitor it constantly feels like someone is watching me or my soul is being hard starred at. perhaps you could try moving the camera just a tiny bit to the side and take a glance at it here and there while you describe something, i feel like that could help bring points across clearer since you divert your attention to the webcam for that time being even if it's just looking at it from a slight angle and feels less robot-like :D
I think it’s better as an environment variable, just so you can easily change between dev/staging/production. Environment variables changes can be live so if you need to make a tweak it’s intuitive and easy. If the domains hard coded I don’t think it is intuitive to change
@@x.plorer It really depends on the applicaiton. Some will monitor the .env file and autoload any changes. I want to say Laravel does this by default, I would guess fastapi/flask does not, but no reason you couldn't do it. Also you could probably reload the service vs restart to load it without interruption.
Ippsec always Rocks
Great stuff thanks Ipp. Another thing I come across fairly frequently is Host headers being reflected in 302 redirect responses, sometimes there is a reflected XSS vector although it can be difficult to actually exploit.
Would be another cool video idea on explaining some tips on how to find the origin IP address for a server behind cloud flare. Like what OSINT sources you can try, etc.
I don't know a way to do that without pointing out sites that incorrectly configured cloudflare. Without spending the money setting up a bunch of examples myself, which I don't really want to do right now. If my channel gets more members, I may consider it in the future.
@@ippsec dude I wish you channel would get more members. I’ve been subbed to you for years and how you don’t have more recognition truly amazes me. I guess the pen testing scene is relatively small but you’re so good at what you do. I genuinely appreciate you keeping your content genuine and not selling out by only doing entry level videos with big named guests and flashy clickbait thumbnails and titles like network chuck and other UA-camrs. You, cyber mentor, and John Hammond are my favorite UA-camrs. I even play your videos some nights when I’m going to bed because cyber security and programming are my favorite things to listen to when going to sleep. 😂
@@ippsec Greetings IppSec, I got a question. How does the backend IP of a website leak if the cloudflare is misconfigured? I mean how would someone setup it correctly to avoid getting his webserver IP?
@@briancarson3052 Make sure that your DNS records are set to "Proxied" instead of "DNS only" to hide your webserver's IP address.
Make sure that you have set up firewall rules correctly to block all traffic except traffic coming from Cloudflare IP addresses.
Make sure that your SSL certificate is set up correctly and is using the "Full (Strict)" mode.
You can use Cloudflare's diagnostic tools to verify that your configuration is correct and that your webserver's IP address is not leaking.
The easiest way to do this is by using Censys and searching for information such as the website's HTML code, title, or any other information that you can use to pinpoint the website. Censys will show you the website's backend IP if it has scanned it in the past. The harder way is to set up your own server that scans the entire internet 24/7, including storing the website response.
How could you figure out the IP of website behind cloudflare? Lovely talk!
Great video. Clear, concise, and actionable. Thanks IppSec!
Lovely stuff! The face cam is a really nice touch - really cool for these types of videos! Especially from such a handsome cyber sec guy haha
Hi fellow slow magic fan 🙂↕️ agreed though, it helps to make it more engaging hahah
@@ash_tray_6 WHAT??!!!!!!!!!!!!
How to test different custom http request response headers for BSQLI XSS LFI RFI RCE ? Thanks
Please could you do more videos like this especially after the video on the box that showcases the vulnerability, it's really helpful.
Interesting. Never knew about this. Makes me wonder how many websites I'm logged into that has this vulnerability.
Just as a note for cloudflare: You can now publish websites NOT exposed to the internet iirc using their relay agent. Basically your agent connects o cloudflare and then forwards requests. That fixes hat issue.
Hey I am new to this channel and to be frank this video is very hard to follow. I have a lot of backend experience, but as a newcomer to this channel I am new to many tools you are using, but you just glimpse through them. Also as a mobile heavy user I kept zooming in most of the time. Just a couple of tips that might or might not help. Peace ✌🏼
Same. This dude is ridiculous to follow
Same, the problem is that he does not explain well the big picture, like directions of requests.
This is a different type of vedio from your side its always solving htb boxes well this is a fresh sight to the eyes😇
Are there really websites that allow user-defined headers to generate their password reset links? or am i misunderstanding what causes this? that seems beyond insane. what is the motive to design it this way?
You would be surprised. There are a lot of developers out there that don't look at how that variable is created, and just see it when trying to do something. Or copy off a bad stack overflow. I want to say Wordpress was also affected for a long time, you could find tons of examples with a google like:
site:hackerone.com Host Header Injection
I made my site's password reset logic from total scratch, and luckily I already use an environment variable to get the domain.
Howdy Ippsec!
What's your opinion on ChatGPT and it's impact on the security industry, if any at all. Do you use it to learn? As a programming aid?
Thanks
Nice Ipp :D
are you using the Nvidia eye contact software?
Yes
nice man, tripped me out for a bit :D
♥️ from india
Hey ippsec, just a question, how would you actually exploit another person with this, as it requires intercepting the request and changing the headers, so isn't this just a self attack?
The idea is that I reset your password with the modified header. Now when you get the email, you click the link, and the token arrives at my server. Now I can reset your password and access your account.
@@0xdf ah i see,thank you :D
@@0xdf thank you for explanation! Had the same confusion as to how this would even work without someone being in your network.
Which brings up the question - Did you try to find the HTB IP without cloudflare, and try that? :)
I did not, the HTB Webserver only allows cloudflare to talk to it. Either through mutual ssl and/or iptables.
Ooh when did you start showing your face?
Environment variable is must efficient way
Only if the app is reachable only via one url (for example intranet alternative). Then the env or config bar must have a accept-list or RE
Yeah
what i came across a few times is that it also is worth checking how it behaves when using the X-Forwarded-Host header. Often links will be crafted by the value provided in this header instead of host-header.
I thought about adding that, but no webserver (PHP/Python/Ruby) that I found would prefer the X-FORWARDED headers without some intentionally created thing, which means the developer really has to go out of their way to do that. So in my opinion, it is an extreme edge case.
nice video
Wow. Just hearing how you think through things is amazing and eye opening. Thank you for such consistent high quality content ❤
Stackoverall of 21st century... ChatGPT😂
2:36 wow that was really scarry 😰
ippschads, rise up
Doesn't work for sites with HSTS enabled, of course
It's hard to believe it's already been 3 years since I started watching you. Soon, it will be 4.❤️
Thanks.
I never trust anything come from user I get the domain with my env :) hopefully I am safe
Holy shit a facecam. How long has this been a thing??
Since the talk as ambassador for HtB
Master!!!!!
As a web designer, developer, solutions architect and security researcher, it seems very strange to me that someone would choose to build a system in a way which uses the host header value to determine what domain to use in the password reset link - rather than using an environment variable or hardcoding it.
Is this actually a thing people do?
Will keep this in mind to test on my next bug hunt anyhow. Thanks! Great video.
It just comes down to the developers not knowing exactly where that information is coming from and copy/pasting code to get something working.
@@ippsec I guess so, but still strikes me as really weird because the kind of developer who would do that surely would be more likely to just hardcode the domain or something instead - since it would take more effort for them to code it to fetch the host header value. And that kind of developer potentially may not even be aware of the host header's existence 🤔
I would also assume that if you have domains served by virtual host, this would also remove this vector
I can see a scenario where the same server code is shared for different applications, or there are private user projects running under subdomains, and there is a built in password reset... somehow. For example, some kind of "make your own forum from template". Then using host header to differentiate between the forums is a solution that comes to mind
To answer your question, yes this is a thing people do. Vulnerabilities resulting from misconfigured CORS work in a similar way and is basically header injection.
Why would dev use host info from user lol 😂
At least they usually use info provided by the server it self.
thanks ippsec, very good Tutorial 😎
Holy cow azure scanner even sends the full request with parameters as referer header to the favicon.
So that's what he looks like. I was way off on how i imagined he would look like.
can someone explain to me how changing the host the request is sent to still somehow gets to the server?
wow first time I saw your face ippsec and thanks for this
things are definitely getting out of hands
I have NO CLUE what this video is about because you go soooooooooooooool fast
bro is staring at my soul ong nvidia gotta make this more human like
Amazing!! Thanks for share!
You randomly popped up on my youtube feed but here's some constructive criticism:
With the way you have your webcam setup or be it your monitor it constantly feels like someone is watching me or my soul is being hard starred at.
perhaps you could try moving the camera just a tiny bit to the side and take a glance at it here and there while you describe something, i feel like that could help bring points across clearer since you divert your attention to the webcam for that time being even if it's just looking at it from a slight angle and feels less robot-like :D
Thanks for the comment, don't use webcam stuff much. I had accidentally left the nvidia eye track on so that may be the issue.
THE FACE!!!!!!!!!!!!!!!!!!!!!!!!! IPPSEC u rocks. :)
Great content as always
Nice new hair
This is why we should have MFA
Yo Ipp, it is nice to see you:)
you look like a friendly person lol
Great info. You're amazing
Is hardcoding the domain into the code a bad idea? If so why?
I think it’s better as an environment variable, just so you can easily change between dev/staging/production. Environment variables changes can be live so if you need to make a tweak it’s intuitive and easy. If the domains hard coded I don’t think it is intuitive to change
if env var is changed, application still needs to be restarted
@@x.plorer It really depends on the applicaiton. Some will monitor the .env file and autoload any changes. I want to say Laravel does this by default, I would guess fastapi/flask does not, but no reason you couldn't do it. Also you could probably reload the service vs restart to load it without interruption.
Can I request a hacking video?
Don't ask to ask😂
your eyes are creepy
Tried the nvidia eye tracking thing 😂
@@ippsec 🤣🤣