Wednesday 30 May 2018

HOST HEADER INJECTION


HOST HEADER INJECTION


Most of the common web servers are configured in the form of the same server to host many web applications with the same IP address this type of configuration is the reason for the Host Header issues. Here we are going to deal with the host header injection attack in various forms, its impact and mitigation.

CONTENTS:

  1. HOST HEADER ISSUES
  2. RISK
  3. HOW ATTACKERS UTILIZE HOST HEADER ATTACK
  4. WHY HOST HEADER HAPPEN
  5. HOW TO FIND HOST HEADER ISSUES
  6. PHASES OF HOST HEADER ISSUES
  7. IMPACT OF HOST HEADER ISSUES
  8. MITIGATIONS FOR HOST HEADER ATTACK
  9. CONCLUSION

HOST HEADER ISSUES:

An attacker can manually divert the code to produce the hacker desired output simply by editing the host header. Most probably web servers are configured to pass the host header to the first virtual host in the list without proper reorganisation, So It is possible to send the HTTP requests with arbitrary host headers to the first virtual host. In that case, if we specify an invalid Host means the web server process it and pass the invalid host header to the first virtual host in the list.
An attacker can modify the host name by giving a fake web page or a vulnerable website and deliver it to the user and fraud the users.
Example:
The result will redirect the user to the attacker’s website by simply modifying the host header

RISK:

Most probably many websites use the values provided in the user input field and uses it afterwards without an improper input validation. Commonly this will not have that much impact on the application, but in some cases, if the application accepts the host header, the risk lays there. There may occur,
  • URL redirection problems.
  • Username and password credentials may be theft.
  • Financial loss may happen in Finance sectors.

HOW ATTACKERS UTILIZE HOST HEADER ATTACK:

The exploitation is based on the logic of the web application. If the application does not use the user input value, then there is no risk. But the host header attack is considered as a serious issue at the time of resetting our password. When we are resetting our forgotten password, or we change our password for our privacy, the web application generates a link dynamically there it uses the host header provided in the request. In this scenario, the hacker uses this header for their evil cause. The hackers use some social engineering and phishing attacks for getting the link. So, the developer should realise the importance of the host header attack.

WHY HOST HEADER HAPPEN:

It is an injection type of attack that done on the HTTP headers.
  • HTTP headers are dynamically generated based on the input of the user. User inputs can be edited or spoof by attackers. It is accessible by everyone.
  • Any website that does not correctly validate or verify the HTTP Host headers.

HOW TO FIND HOST HEADER ISSUES:

Verify the header of the request. Inject other domain in the header field and check the response in the browser.

PHASES OF HOST HEADER ISSUES:

  1. WEB CACHE POISONING WITH SINGLE HOST HEADER:

Web cache poisoning is a kind of technique used by a hacker to manipulate a web cache that serves a poisoned content for those who requests that webpage. For this attack, the hacker needs to poison a caching proxy run by the website itself, or content delivery networks (CND’s), or other caching mechanisms are carried out between the client and the server. In this scenario where caching is enabled, A hacker will potentially embed a remote URL as the base-URL for any website. This scenario then causes other users who request the site will be redirected unknowingly. Thus if an application fails to prevent the user from using the X-Forwarded-Host header, it will effectively override the Host header. The cache will serve the poisoned content to everyone those who request the webpage without the knowledge of the victim.
EXAMPLE:
 

  1. X-FORWARDED HOST HEADER:

Host header injection is mitigated by preventing the tampering of Host header. It means if any request is made with tampered host header, the application responds with an error message like “404 Not Found”. Another way to pass arbitrary Host headers is to use the X-Forwarded-Host header. In some configurations, this header will rewrite the value of the Host header. Therefore it’s possible to make the following request.
EXAMPLE:

  1. WEB POISONING WITH MULTIPLE HOST HEADERS:

It is one of the forms of web cache poisoning attack. It is similar to that of the web cache poisoning using the single header. The only difference is that in this type is that it use multiple headers more than one to the users those who request the website. By tampering with the header, it is possible. The web cache will deliver the wrong content to the user with their knowledge.
EXAMPLE:
GET / HTTP/1.1
Host: www.evil.com

  1. PASSWORD RESET POISONING:

 The significant impact of Host header attack lies in the password resetting functionality. The most common scenario of this attack the hacker generates a secret token and sends a mail that has a link that contains the mysterious symbol of the hacker. The hacker urges the user to make use of his link, and to requests, a password reset link which redirects the user to him. In this case, if the web application makes use of this host header value when composing with the reset link and when the user clicks the poisoned reset link in the mail, then the user will become a victim to the hacker. The attacker will obtain the password reset token and make use of his password for his destructive purposes.
EXAMPLE:
 

IMPACT OF HOST HEADER ISSUES:

  1. A hacker can modify the legitimate host header with a wrong host in the request, and it poisons the cache of the web application server and the proxy. It has nothing to do with the browser. When the authorised user tries to access the host, but still the cache of the web server is poisoned with the hacker’s domain that redirects the licensed user to the domain of the hacker.
  2. If the host headers are used for writing links without a proper HTML encoding, there may be a possibility for Cross-site
  3. Access to the internal
  4. HTML INJECTION also can be done.

MITIGATIONS FOR HOST HEADER ATTACK:

  • Proper sanitation of input values.
  • Proper verification of the request that it came from the original target host or not.
  • Mitigate the Host header attack in Apache and Nginx by creating a dummy virtual host that catches all requests from unrecognised Host headers.
  • Whitelist the trusted domains at the initial phase of the web application.
  • Respective Mapping of the domains that received in the host header of each HTTP request with itself.
  • Use secure server configuration.
  • Disable the support for the X-Forwarded-Host header option.

CONCLUSION:

Many application developers did not realise that the HTTP host header is accessible and controlled by all user. In an application security perspective, the input given by the user is always deceivable, and it is unsafe to trust. So, a web developer should consider host header issues as a dangerous thing not to and neglect it; we should find the impacts caused by the host header and follow the mitigation to safeguard ourselves.
We Briskinfosec is Center for Cyber Security Excellence passionate to protect you from all application security threats on your budget. Talk to our experts contact@briskinfosec.com

AUTHOR

Alex Daniel Raj
Security Engineer
Briskinfosec Technology and Consulting Pvt Ltd.,
follow me @https://www.linkedin.com/in/alex-daniel-raj-xavier-b77869145/
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)