It is common drill for the same web server to host several websites or web applications on the same IP address. This why the host heading exists. The host header specifies which website or web application should process an incoming HTTP request. The vane server uses the prize of this header to dispatch the request to the specified web site or network application. Each web application hosted on the same IP address is normally referred to as a virtual horde. So what constitutes a host header fire ?
What happens if we specify an invalid Host Header ? Most network servers are configured to pass the unrecognized host header to the first base virtual host in the tilt. therefore, it ’ s possible to send requests with arbitrary server headers to the first base virtual host.

Another way to pass arbitrary Host headers is to use the X-Forwarded-Host header. In some configurations this header will rewrite the value of the Host header. Therefore it ’ s potential to make the follow request.

GET / HTTP/1.1
Host: www.example.com
X-Forwarded-Host: www.attacker.com

many web application trust on the HTTP host header to understand “ where they are ”. unfortunately, what many application developers do not realize is that the HTTP host header is controlled by the user. As you might already know, in application security drug user input should always be considered unsafe and consequently, never trusted without properly validating it first gear.

The use of the host header is particularly common in PHP web applications, however, it ’ south surely not a problem endemic to PHP vane applications. The PHP handwriting in the surveil exemplar is a typical and dangerous use of the horde header .

Leave a Reply

Your email address will not be published.