Research on Host Header Injection
Hello guys👋👋 ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my eleventh task I was given to research about Host Header Injection and various exploits that one can get from it.
What is a Host Header?
The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application. Each web application hosted on the same IP address is commonly referred to as a virtual host.
Why Host Header Injection Occurs?
Most web servers are configured to pass the unrecognized host header to the first virtual host in the list. Therefore, it’s possible to send requests with arbitrary host headers to the first virtual host.
By using this attack, we can check whether the host is properly validated or not?
Different Methods to Find Host Header injection?
Method-1: Changing Host Header Completely, we will just change the current Host header to evil domain.
GET / HTTP/1.1
Host: www.evil.com
Method-2 : Adding X-Forwarded-Host header to pass malicious URL:
GET / HTTP/1.1
Host: www.example.com
X-Forwarded-Host: www.evil.com
Method-3: Swapping the values of Host and X-Forwarded-Host header.
GET / HTTP/1.1
Host: www.evil.com
X-Forwarded-Host: www.example.com
What are the Different Exploits of Host Header?
1. Header Based Open Redirection:
In this the changing of header can lead to unvalidated redirection, but due to the heavy user interaction needed this is considered under P5 on bugcrowd.
2. Web Cache Poisoning:
Web-cache poisoning is a technique used by an attacker to manipulate a web-cache to serve poisoned content to anyone who requests pages.
For this to occur, an attacker would need to poison a caching proxy run by the site itself, or downstream providers, content delivery networks (CDNs), syndicators or other caching mechanisms in-between the client and the server. The cache will then serve the poisoned content to anyone who requests it, with the victim having no control whatsoever on the malicious content being served to them.
3. Password Reset Poisoning:
This is the most critical exploit of Host header Injection. This is a P2 vulnerability according to Bugcrowd VRT.
A common way to implement password reset functionality is to generate a secret token and send an email with a link containing this token. What could happen if an attacker requests a password reset with an attacker controlled host header?
If the web application makes use of the host header value when composing the reset link, an attacker can poison the password reset link that is sent to a victim. If the victim clicks on the poisoned reset link in the email, the attacker will obtain the password reset token and can go ahead and reset the victim’s password.
Replication Steps:
1) Visit https://example.com/#/forgot-password , enter the victim email and capture the request.
2) In the proxy tab change the Host header to burplink.
3) It leads to poisoning of password reset so as soon as the victim clicks on the link, an http request is captured in burp collaborator, in which the password reset token for the victim’s account is present.
4) Now you can simple change the password using that hence lead to account takeover
How to Prevent Host Header Injection?
Mitigating against the host header is simple — don’t trust the host header. However in some cases, this is easier said than done (especially situations involving legacy code). If you must use the host header as a mechanism for identifying the location of the web server, it’s highly advised to make use of a whitelist of allowed hostnames.
This is all for today’s writeup.
Thanks For Reading 😊
Profile Links:
Twitter: https://twitter.com/SAPT01
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/
