Hi fellow slow magic fan 🙂‍↕️ agreed though, it helps to make it more engaging hahah

@@ash_tray_6 WHAT??!!!!!!!!!!!!

I thought about adding that, but no webserver (PHP/Python/Ruby) that I found would prefer the X-FORWARDED headers without some intentionally created thing, which means the developer really has to go out of their way to do that. So in my opinion, it is an extreme edge case.

I don't know a way to do that without pointing out sites that incorrectly configured cloudflare. Without spending the money setting up a bunch of examples myself, which I don't really want to do right now. If my channel gets more members, I may consider it in the future.

@@ippsec dude I wish you channel would get more members. I’ve been subbed to you for years and how you don’t have more recognition truly amazes me. I guess the pen testing scene is relatively small but you’re so good at what you do. I genuinely appreciate you keeping your content genuine and not selling out by only doing entry level videos with big named guests and flashy clickbait thumbnails and titles like network chuck and other KZbinrs. You, cyber mentor, and John Hammond are my favorite KZbinrs. I even play your videos some nights when I’m going to bed because cyber security and programming are my favorite things to listen to when going to sleep. 😂

@@ippsec Greetings IppSec, I got a question. How does the backend IP of a website leak if the cloudflare is misconfigured? I mean how would someone setup it correctly to avoid getting his webserver IP?

@@briancarson3052 Make sure that your DNS records are set to "Proxied" instead of "DNS only" to hide your webserver's IP address. Make sure that you have set up firewall rules correctly to block all traffic except traffic coming from Cloudflare IP addresses. Make sure that your SSL certificate is set up correctly and is using the "Full (Strict)" mode. You can use Cloudflare's diagnostic tools to verify that your configuration is correct and that your webserver's IP address is not leaking.

The easiest way to do this is by using Censys and searching for information such as the website's HTML code, title, or any other information that you can use to pinpoint the website. Censys will show you the website's backend IP if it has scanned it in the past. The harder way is to set up your own server that scans the entire internet 24/7, including storing the website response.

Same. This dude is ridiculous to follow

Same, the problem is that he does not explain well the big picture, like directions of requests.

You would be surprised. There are a lot of developers out there that don't look at how that variable is created, and just see it when trying to do something. Or copy off a bad stack overflow. I want to say Wordpress was also affected for a long time, you could find tons of examples with a google like: site:hackerone.com Host Header Injection

Yes

nice man, tripped me out for a bit :D

The idea is that I reset your password with the modified header. Now when you get the email, you click the link, and the token arrives at my server. Now I can reset your password and access your account.

@@0xdf ah i see,thank you :D

@@0xdf thank you for explanation! Had the same confusion as to how this would even work without someone being in your network.

It just comes down to the developers not knowing exactly where that information is coming from and copy/pasting code to get something working.

@@ippsec I guess so, but still strikes me as really weird because the kind of developer who would do that surely would be more likely to just hardcode the domain or something instead - since it would take more effort for them to code it to fetch the host header value. And that kind of developer potentially may not even be aware of the host header's existence 🤔

I would also assume that if you have domains served by virtual host, this would also remove this vector

I can see a scenario where the same server code is shared for different applications, or there are private user projects running under subdomains, and there is a built in password reset... somehow. For example, some kind of "make your own forum from template". Then using host header to differentiate between the forums is a solution that comes to mind

To answer your question, yes this is a thing people do. Vulnerabilities resulting from misconfigured CORS work in a similar way and is basically header injection.

I did not, the HTB Webserver only allows cloudflare to talk to it. Either through mutual ssl and/or iptables.

Only if the app is reachable only via one url (for example intranet alternative). Then the env or config bar must have a accept-list or RE

Yeah

Thanks for the comment, don't use webcam stuff much. I had accidentally left the nvidia eye track on so that may be the issue.

I think it’s better as an environment variable, just so you can easily change between dev/staging/production. Environment variables changes can be live so if you need to make a tweak it’s intuitive and easy. If the domains hard coded I don’t think it is intuitive to change

​if env var is changed, application still needs to be restarted

@@x.plorer It really depends on the applicaiton. Some will monitor the .env file and autoload any changes. I want to say Laravel does this by default, I would guess fastapi/flask does not, but no reason you couldn't do it. Also you could probably reload the service vs restart to load it without interruption.

Since the talk as ambassador for HtB

Don't ask to ask😂

Tried the nvidia eye tracking thing 😂

@@ippsec 🤣🤣