Before we get to the offensive part, let ’ s first begin by understanding what is a Host Header, and what it does .
The HTTP Host Header
The Host Header is a mandate field that web clients should include in their HTTP requests. It indicates to the webserver which domain the node is trying to connect to. This can be useful in situations where multiple websites are hosted on the same world wide web waiter. They can share the same IP address but differ in the domain mention .
hera is what an HTTP request with a Host header should look like :
GET /index.html HTTP/1.1 Host : patchthenet.com
Web applications are broadly not hosted on standalone servers. rather, you will most much find them running on acme of a shared server. These applications will consequently be sharing the lapp IP address. And sol, to differentiate between where incoming requests are destined, the vane server will rely on the HTTP master of ceremonies header .
On the other hand, some websites may only be accessible through an mediator system that handles the traffic from the customer. These systems may be load balancers, rearward proxies, or WAFs. In this case, all these websites will share a individual IP address. And once again, the HTTP host header will come to the rescue to help route the requests to their mean destinations .
well, now that we have seen the utility of this header, let ’ s go ahead and see how this can pose a gamble to the security of web applications .
HTTP Host Header Injection Attacks
sometimes, network applications need to know the sphere in which they are hosted. This is particularly true when they need to reference a resource through an absolute way .
In such situations, a web application will normally get this domain name from the HTTP Host Header value .
here is an exercise of how a web application can achieve this :
Behind this apparently harmless pipeline, there is a major vulnerability that may not be obvious at first gear .
The web application will retrieve the Host Header rate :
$_SERVER['Host'], and inserts it in its code .
however, as we ’ ve previously seen, this value is user-controllable. Meaning that a exploiter can modify it before sending their request .
An attacker can just inject a malicious cargo as the Host Header value, and the web application will unwittingly process it and execute it.
Another way to change the Host Header Value is by using
X-Forwarded-Host. Proxies use this heading to forward HTTP requests to the web server while keeping the original Host value that the world wide web browser has provided .
An attacker can use this header with a malicious cargo to override the Host Header .
GET /index.html HTTP/1.1 Host : patchthenet.com X-Forwarded-Host : malicious.com
By taking the previous case, and changing the Host variable with the above value, we will get the take after :
An attacker can use the Host Header as a way that leads to versatile types of attacks. Most normally, attackers will inject the Host header in order to achieve web hoard poisoning, SSRF, or password readjust poisoning .
once you find a vulnerable web site, it is actually straightforward to exploit it. Using a local proxy, you can intercept your request to the web site before it leaves your machine .
For example, the image below shows the intercept request to my web site using belch : now, the attacker can just change the Host Header rate, where it says :
www.patchthenet.com, with a domain appoint that they control. And then, they can forward the request .
Of course, this will not work here, and it won ’ thyroxine be effective against most websites a well, because there are many security controls that web administrators implement in order to protect their websites against these attacks .
And this is what we are going to cover next .
Preventing Host Header Injection Attacks
fortunately, Host header injection attacks are not ineluctable. By following certain security measures, you can protect your web application and mitigate the risk of an HTTP Host Header attack occurring.
Read more: How to Make Your Own Website Without a Host
The safest and most secure measure that you can set in stead is to avoid using the HTTP Host Header in the first place. You should always ask yourself if you truly need to include absolute paths when calling resources .
When you actually need to rely on Host headers, then you should make certain to validate the Host Header as you would for any other user-provided remark .
You should besides consider checking the HTTP Host Header against a whitelist of sleep together domains. The world wide web application will only process sphere names that are present in the whitelist .