Virtual hosts
In a basic setting, one domain is typically associated with one host. To associate multiple domains with the same host, we use virtual hosts.
Webserver such as Apache are using the HTTP Header Host to determine which website the users want to see.
$ curl -H 'Host: example.com' example.com # subdomain
$ curl -H 'Host: vh.example.com' example.com # vhost
When these Virtual Host records (Host to website) are public, they are handled like subdomains, but this is not always the case. This is a common technique to hide websites, such as admin or private websites for employees or test websites.
πͺ€ In CTFs, they could be used to hide a whole different website.
Common tools to find virtual hosts are:
Common wordlists are listed in wordlists#subdomains
Access from your browser π
Since VHosts are mapped locally on the target webserver, we cannot access it without prior configuration locally.
Edit your local DNS file, such as WEBSERVER_IP vh.example.com.
-
/etc/hosts -
c:\windows\system32\drivers\etc\hosts