note : majority of the subject here was ripped immediately from PortSwigger.net .
table of Contents :

  • What is an HTTP Host Header?
  • What Are Host Header Injection Attacks?
  • How Do We Test for Attacks?
    • Checking for flawed validation
      • Insert the payload within the port field
      • Provide arbitrary domain name containing the whitelisted domain name
    • Sending ambiguous requests to bypass front-end systems.
      • Inserting duplicate Host headers
      • Supply an absolute URL
      • Add line wrapping via space character
    • Additional Technique: Inject Host Override Headers
    • Additional Technique: Brute-Forcing Virtual Hosts
  • Exploitation Examples
    • Example 1A: Basic password reset poisoning (Uses Host Header)
    • Example 1B: Password reset poisoning via middleware (Uses X-Forwarded-Host Header)
    • Example 1C: Password reset poisoning via dangling markup (Uses Arbitrary Port Within Host Header)
    • Example 2: Web cache poisoning via ambiguous requests (Uses X-Cache Header)
    • Example 3: Host header authentication bypass (Changing Host Header to localhost)

What is an HTTP Host Header?

The HTTP Host header is compulsory, and specifies the domain list that the node wants to access. Modifying this header may allow you to view diverse webpages against the lapp server, if that waiter is configured to respond to multiple virtual hosts. In accession to virtual host rout, the Host header is authoritative for a load-balancer or third-party mediator ( think CloudFlare ) to know where to route dealings once the request comes in and is processed .
For model, a exploiter shop to a web site at hypertext transfer protocol : //example.com/page-1 will issue a request that looks like the follow :

GET /page-1 HTTP/1.1
Host: example.com

Example.com may resolve to an IP address that many other domain-names answer to. Because of this, multiple domain names may be sent to the lapp webserver or resource, and that resource needs to be able to know where to send traffic. This is done by looking at the Host header .

What Are Host Header Injection Attacks?

When a cargo is injected directly into the Host heading of a HTTP Request, this is referred to as a Host Header Injection Attack. If the webserver fails to validate or escape the Host Header properly, this could lead to harmful server-side behavior .
As the Host header is in fact drug user controllable, this practice can lead to a act of issues. If the remark is not by rights escaped or validated, the Host header is a potential vector for exploiting a range of early vulnerabilities, most notably :

  • Web cache poisoning
  • Business logic flaws in specific functionality
  • Routing-based SSRF
  • Classic server-side vulnerabilities, such as SQL injection

How Do We Test for Attacks?

The process for testing this is very dim-witted. Just intercept the Request in Burp, and modify the Host header to an arbitrary measure. The webserver will likely respond in one of two ways :

  1. The page you intended to test will display. This typically occurs when the site you’re testing is configured as the webserver’s default or fallback option when a improper Host header is provided.
  2. The server returns an error. This is more common, especially in cases when multiple websites are being hosted by the same webserver or front-end.

Checking for flawed validation

rather of returning a “ Invalid Host Header ” response, you may find that your request is blocked as a security system bill. This doesn ’ thymine beggarly that the waiter international relations and security network ’ deoxythymidine monophosphate vulnerable, but you do need to try and understand how the server parses the host header. The following contains a list of possible shunt techniques :
Insert the payload within the port field. The domain mention may be checked, but the port number may not be .

GET /example HTTP/1.1
Host: vulnerable-website.com:bad-stuff-here

Provide arbitrary domain name containing the whitelisted domain name. validation may be checking dim-witted to see if the target world is present in the response. By registering an arbitrary knowledge domain name that ends with the same sequence of characters as a whitelisted one, you may be able to bypass defenses .

GET /example HTTP/1.1
Host: notvulnerable-website.com

Sending ambiguous requests to bypass front-end systems.

In cases were a load halter or CDN is in position act as the front-end server, we may be able to bypass security checks on the front-end server using one request, but have the lotion process the request on the back-end differently. For example, the follow beltway techniques can be deployed .
Inserting duplicate Host headers. This is particularly useful when your request is processed by multiple webservers ( such as a load-balancer or CDN ). unlike systems may handle the request differently, giving one heading precedence over the other one, which can efficaciously override its value. let ’ s say the front-end gives precession to the first example of the header, but the back-end prefers the final case. Given this scenario, you could use the foremost header to ensure that your request is routed to the intended target and use the moment header to pass your warhead into the server-side code .

GET /example HTTP/1.1
Host: vulnerable-website.com
Host: bad-stuff-here

Supply an absolute URL. officially, the request line should be given precedence when routing the request, but this international relations and security network ’ thymine constantly the case in practice. You may be able to exploit the lapp demeanor mentioned above by issuing a request similar to the one under .

GET https://vulnerable-website.com/ HTTP/1.1
Host: bad-stuff-here

note : Don ’ t forget to modify the protocol from http to https and frailty versa to see the demeanor .
Add line wrapping via space character. sometimes adding a space quality to the Host header may interpret the indent heading as a cloaked line. This may cause the app to treat it as the preceding heading ’ s value. This is specially helpful if the web site blocks requests that contains multiple Host headers, as it may not register the indent Host header as an extra one .
GET /example HTTP/1.1
 Host: bad-stuff-here
Host: vulnerable-website.com

Additional Technique: Inject Host Override Headers

If we can ’ metric ton override the Host Header using one of the above mentioned techniques, possibly we can inject our cargo into a header that will override it for us. For case, that could be one of the pursue :

  • X-Host
  • X-Forwarded-Server
  • X-HTTP-Host-Override
  • Forwarded
GET /example HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: bad-stuff-here

Additional Technique: Brute-Forcing Virtual Hosts

Companies sometimes make the mistake of hosting publicly accessible websites and private, internal sites on the like server. Servers typically have both a public and a secret IP address. As the inner hostname may resolve to the private IP address, this scenario can ’ metric ton constantly be detected plainly by looking at DNS records .
In some cases, the home web site might not even have a public DNS record associated with it. Nonetheless, an attacker can typically access any virtual host on any server that they have access to, provided they can guess the hostnames. If they have discovered a obscure knowledge domain list through other means, such as information disclosure, they could merely request this directly. differently, they can use tools like Burp Intruder to brute-force virtual hosts using a simple wordlist of candidate subdomains .

Exploitation Examples

So we ’ ve used the techniques mentioned above and have identified that a web site is vulnerable to a Host Header Injection attack. How do we actually exploit this, and what is the shock ? These examples will help you answer those questions .

Example 1A: Basic password reset poisoning (Uses Host Header)

To begin, we start by sending a password reset request for our own account. This is received in our electronic mail and we observe that the reset radio link contains a unique token that is used to issue the readjust request .

If we issue another password reset request, but this type modify the Host header to a knowledge domain that we control ( nope.com ), the page returns a success 200 message .

Heading over to our e-mail, we see that the password reset radio link is generated for hypertext transfer protocol : //nope.com .

Armed with this cognition, we can craft our malicious request by submitting a password readjust, but modifying the Host Header to point to a domain that we control .

once the link that is sent to Carlos gets clicked, it should issue a request to our malicious knowledge domain. The request should include Carlos ’ valid password reset token .

immediately that we have his token, we can reset Carlos ’ password by issuing the proper POST request .

Example 1B: Password reset poisoning via middleware (Uses X-Forwarded-Host Header)

This exercise is basically the same as the above, except modifying the Host Header returns an error. rather, we can inject our own X-Forwarded-Host header that contains an arbitrary sphere .

Which then generates an electronic mail containing a password readjust token attached to a domain that we can control .

so again, we update the X-Forwarded-Host Header within a new password readjust request, but we ’ ll point it to a knowledge domain that we actually control and modify the exploiter to be Carlos .

This will generate an e-mail containing a link. Once that link is clicked by Carlos, a password reset request is sent to our domain that contains the token we need.


Throwing that into Burp allows us to reset Carlos ’ password .

Example 1C: Password reset poisoning via dangling markup (Uses Arbitrary Port Within Host Header)

In this example, a valid password readjust request will send an e-mail containing a modern password .

We find that modifying the domain within the Host Header within our request returns an mistake, but modifying the port does not return an error .

Heading back to our mailbox, we can confirm that the arbitrary value we added to the port count is injected into the e-mail message that gets air – But we have to analyze this either by viewing the source code of the page, the reaction directly in Burp, or the Raw electronic mail message. Viewing the e-mail raw is the easiest .

Armed with these details, we can analyze the message and see that we have an injection point that is reflected inside a link as an unescaped, single-quoted string. We ’ ll issue another password reset request, but this time we ’ ll do it for Carlos and use the port to break out of the string and inject a dangling-markup warhead pointing to our exploit server .

The leave is a mangle electronic mail being sent to the victim, but the AV is used to scan the connection that we injected. This issues a GET request to our exploit server that contains the victims newly generated password .

Example 2: Web cache poisoning via ambiguous requests (Uses X-Cache Header)

In this example, we find that caching is in manipulation by observing the “ X-CACHE ” Header. In summation to this, we find that we ’ ra able to inject an arbitrary world within a Javascript tag by adding a 2nd Host Header to our request. Combining these two items could allow us to run Javascript that we control in the browser of any victim that is served our hoard web page .
To begin, we notice that a simpleton GET request to the settle of the site returns a 200 all right that isn ’ thymine cached .

however, sending a 2nd request to the same foliate cursorily does confirm that caching is in use .

To request a unique page each time, we ’ ll fair add a imposter parameter to our request that we can increment when we don ’ thyroxine regard to retrieve a hoard page. For model, I ’ ll attention deficit disorder ?cb=1234 to the request .

now let ’ s increase this value one more fourth dimension, and see what happens when we try to inject a 2nd Host Header that contains an arbitrary knowledge domain. We see that the return response was not cached, and the 2nd Host Header we provided was reflected into a Javascript Script tag .

We find that removing the 2nd Host Header and issuing a 2nd request to the same foliate will return our inject warhead in the response, angstrom long as the refund reception is cached .

To get malicious with this, let ’ s create our own Javascript file on our feat server. We ’ ll need to make certain that it contains the same file name/path as provided in the reaction from the webserver. That path is /resources/js/tracking.js .

With our cargo crafted, make bill of the URL that it lives at. Next, let ’ s go back into Burp and increment our ? cb param again. Before submitting the request, make certain to besides include a 2nd Host Header that points to domain hosting your .js warhead .

promptly, we ’ ll remove the 2nd Host Header from our request to confirm the return Response is cached and still contains our inject Payload .

finally, we can simulate a exploiter crop to the malicious page and triggering the Javascript .

To solve the lab, remove the ?cb argument and reissue the requests sol that the Javascript cargo will pop when a victim accesses the Home Page .

Example 3: Host header authentication bypass (Changing Host Header to localhost)

In this exercise, we find that an admin jury is available at /admin, but the page won ’ triiodothyronine warhead unless you ’ ra accessing it locally .

however, intercepting the request and adjusting the Host Header to localhost bypasses this prerequisite .

And immediately we can delete users .

Example 4: Routing-based SSRF

This example requires access to Burp Pro. Will update this post once I have access to this tool .

Share this:

Like this:

Like

Loading…

Leave a Reply

Your email address will not be published.