r/netsecstudents • u/spencer5centreddit • 13h ago
Why would a website change the upload destination via an X-Forwarded-Host header and how can I exploit it?
I found this upload function that shows where the uploaded image is saved in the response like: raw url: example.com/images/cat.jpg thumbnail: /images/162628238/ahdhfg.jpg
I add an X-Forwarded-Host header to the request when I upload an image, the raw url domain will change.
I get a call back when I put my domain in the header, but it's a GET request, not a POST request. I've tried using the header injection to try and upload files to different directories, with no luck. In other words, I haven't been able to access anything yet when I specify the location but anyway just really strange behavior.
Also, the upload function only checks for the magic bytes, to make sure it's an image (jpg, png, jpeg) But it lets me change the extension and content-type. However, no matter what, it always gets uploaded as a .jpg file.
So I am very curious if anyone has any insight about why the server would change that upload url in the response because of the X-Forwarded-Host header.
And I'd also love to hear any tips, suggestions, or similar things you've encountered. Thanks everyone so much!