I’m working on a site and Ive found a few pages that vulnerable to open redirect when you add the
x-foward-host:evil.com it redirects to evil.com/index.php. Is this really a vulnerability. For this to be executed in the wild, the attacker would need to perform a MITM attack right? If the attacker was performing MITM they could redirect the victim to what ever site they want regardless of the vulnerable page, correct?
Is there anyway to inject a header with out mitm? I tried playing around with line returns, and http response splitting. Any advice would be much appreciated.
I think if attacker doing MITM it is not necessary for him to inject headers for redirecting a victim, he can force victim to visit vulnerable page much easier (simply change any server response to 302 redirect for example). So no, I think it is not security vulnerability.
It would be if you can somehow cache this request at an end point.
Then you can potentially trick users of the actual platform to click on a valid looking url which will redirect them to your attack site.
Using cache poisoning for instance.
https://bugcrowd.com/vulnerability-rating-taxonomy according to this, header based open redirection is considered as P5.