Burp Suite User Forum

Create new post

No Host header in https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

gachikuku | Last updated: Jul 04, 2024 02:14PM UTC

It's not possible to pass this lab, because there is not Host header.

Ben, PortSwigger Agent | Last updated: Jul 05, 2024 07:47AM UTC

Hi, Are you able to clarify what exactly you mean by this? The Host header will be in each and every request being sent in the Web Academy labs. Are you able to provide a screenshot of the request to the home page of this lab when you proxy your traffic through Burp so that we can see what your requests look like?

gachikuku | Last updated: Jul 05, 2024 12:41PM UTC

Don't know how to paste a screen shot on here but I can provide you what I get. [1] 1:mitmproxy* 2:zsh- mak.local Flow Details 2024-07-05 15:34:49 GET https://0a9400640436f3e380d3d0a2005b00d0.web-security-academy.net/ HTTP/2.0 ← 200 text/html 1.5k 138s Request Response Detail user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-language: en-GB,en;q=0.5 accept-encoding: gzip, deflate, br, zstd referer: https://portswigger.net/ cookie: session=uh7z8Bd1CaBOY98M1UQs5vtO2syzKWRL cookie: _lab=46%7cMCwCFCIgTsobHD08e7k8jRWhrHuJH3y9AhR%2btIDAp8NEHM1JEwbnXuNJPZBWbTu5eGqo5ton%2bPfY1J%2bUkyDmyF900OaLvoSfRAfwVJ5V z7CBrDfWz8PX2HmiUwuyv7D94dkHa3MzJqd3Np6su4gkVK46Mr716WfGaMPIWdxfPWiQ%2fAY%3d upgrade-insecure-requests: 1 sec-fetch-dest: document sec-fetch-mode: navigate sec-fetch-site: cross-site priority: u=1 te: trailers content-type: application/x-www-form-urlencoded content-length: 0 No request content [m:auto] Maybe it's a mitmproxy issue? Thanks for the reply and sorry for bothering.

Ben, PortSwigger Agent | Last updated: Jul 05, 2024 12:50PM UTC

Hi, Have you tried using Burp in conjunction with the Web Academy labs?

gachikuku | Last updated: Jul 05, 2024 01:49PM UTC

When I run Burp, is the client aware that there is a proxy? Aaaah It works with burp ???? Thanks.

Ben, PortSwigger Agent | Last updated: Jul 08, 2024 07:17AM UTC

Hi, The sites that you are interacting with might be able to tell that you are using a proxy (this is generally the case for other proxies as well).

gachikuku | Last updated: Jul 08, 2024 02:17PM UTC

Thanks for replying. Actually this is what's happening https://portswigger.net/burp/documentation/desktop/http2/http2-normalization-in-the-message-editor It had nothing to do with transparent proxy. Ohter proxy don't have htt2 nomralization for ease of editing.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.