Host Header Injection
142 views
Skip to first unread message
Mike
May 8, 2024, 9:38:21 AM5/8/24
to ZAP User Group
Hello team! Is it possible to use ZAP to test the Host Header Injection or add an X-Forwarded-Host header and analyze the behavior change in this case? I can't find such a rule. Maybe there is an ascon rule or a community script? Is this implemented in ZAP? Vulnerability description - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
kingthorin+zap
May 8, 2024, 2:22:35 PM5/8/24
to ZAP User Group
There isn't an existing rule. You could create an active scan script, HTTPSender script, or Replacer rule to do it.
- https://github.com/zaproxy/community-scripts/tree/main/active
- https://github.com/zaproxy/community-scripts/tree/main/httpsender
- https://github.com/zaproxy/community-scripts/tree/main/other/tips/replacer/match-and-replace#bypass-waf
Mike
May 11, 2024, 2:11:06 AM5/11/24
to ZAP User Group
Thanks! Started the development of ascan script! :D
Reply all
Reply to author
Forward
0 new messages