Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

OpenVPN Host Header Injection

By kannthu

Informative
Vidoc logoVidoc Module
#openvpn#hostheader-injection
Description

OpenVPN Host Header Injection

What is the "OpenVPN Host Header Injection?"

The "OpenVPN Host Header Injection" module is designed to detect a vulnerability in OpenVPN Access Server. This module specifically targets the OpenVPN software and aims to identify instances where remote attackers can inject arbitrary redirection URLs by manipulating the 'Host' header.

This module is categorized as having an informative severity level, meaning it provides valuable information about potential vulnerabilities but does not directly pose a significant threat.

Impact

If the OpenVPN Host Header Injection vulnerability is present, it can allow attackers to redirect users to malicious websites or perform other unauthorized actions. This can potentially lead to further exploitation of the affected system or compromise user data.

How the module works?

The OpenVPN Host Header Injection module works by sending a specific HTTP request template and evaluating the response against predefined matching conditions. The request template includes a GET request with a manipulated 'Host' header, aiming to trigger the vulnerability.

For example, the module may send a request similar to the following:

GET / HTTP/1.1
Host: <random-alphanumeric-text>.tld

The module then checks the response for specific conditions, such as the presence of certain headers or a particular HTTP status code. In the case of the OpenVPN Host Header Injection module, it looks for the presence of the "https://{{randstr}}.tld/__session_start__/" and "openvpn_sess" headers, as well as a status code of 302 (redirect).

If all the matching conditions are met, the module reports a vulnerability, indicating that the OpenVPN Access Server may be susceptible to host header injection attacks.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: https://{{randstr}}.tld/__session_start_...and
status: 302
Passive global matcher
No matching conditions.
On match action
Report vulnerability