layout title tags
col-document WSTG – stable WSTG

{ % include breadcrumb.html % }

Testing for Host Header Injection

ID
WSTG-INPV-17

Summary

A network server normally hosts respective web applications on the same IP address, referring to each application via the virtual host. In an incoming HTTP request, web servers frequently dispatch the request to the target virtual master of ceremonies based on the value supplied in the Host header. Without proper validation of the header value, the attacker can supply disable input to cause the world wide web waiter to :

  • dispatch requests to the first virtual host on the list
  • cause a redirect to an attacker-controlled domain
  • perform web cache poisoning
  • manipulate password reset functionality

Test Objectives

  • Assess if the Host header is being parsed dynamically in the application.
  • Bypass security controls that rely on the header.

How to Test

initial test is a childlike as supplying another world ( i.e. attacker.com ) into the Host header field. It is how the world wide web waiter processes the header measure that dictates the affect. The fire is valid when the web server processes the remark to send the request to an attacker-controlled host that resides at the supply knowledge domain, and not to an inner virtual host that resides on the web server .

 GET / HTTP/1.1
 

Host:

www.attacker.com [... ]

In the simplest case, this may cause a 302 redirect to the supplied world .

 HTTP/1.1 302 Found
[ ...]
 

Location:

hypertext transfer protocol : //www.attacker.com/login.php

alternatively, the vane server may send the request to the first virtual host on the list .

X-Forwarded Host Header Bypass

In the event that Host header injection is mitigated by checking for invalid input injected via the Host header, you can supply the value to the X-Forwarded-Host header .

 GET / HTTP/1.1
 

Host:

www.example.com

X-Forwarded-Host:

www.attacker.com ...

potentially producing client-side output such as :

...
 < connection  src=" hypertext transfer protocol : //www.attacker.com/link" />
...

once again, this depends on how the vane waiter processes the header prize .

Web Cache Poisoning

Using this technique, an attacker can manipulate a web-cache to serve poison contented to anyone who requests it. This relies on the ability to poison the caching proxy run by the application itself, CDNs, or other downriver providers. As a resultant role, the victim will have no restraint over receiving the malicious content when requesting the vulnerable application .

 GET / HTTP/1.1
 

Host:

www.attacker.com ...

The adopt will be served from the web cache, when a victim visits the vulnerable application .

...
 < link   src=" hypertext transfer protocol : //www.attacker.com/link" />
...

Password Reset Poisoning

It is common for password readjust functionality to include the Host header value when creating password reset links that use a generate mystery nominal. If the application processes an attacker-controlled world to create a password readjust radio link, the victim may click on the connect in the e-mail and allow the attacker to obtain the reset token, frankincense resetting the victim ‘s password .

... Email snippet ...

Click on the following link to reset your password:

http://www.attacker.com/index.php?module=Login&action=resetPassword&token=

... Email snippet ...

References

Leave a Reply

Your email address will not be published.