I. What is the HTTP Host header?
HTTP Header is a required part since HTTP/1.1. It specifies the domain name the client wants to access. For example, when we use the browser to visit the website https://portswigger.net/web-security , our browser will send a request like the following to the web server.
1 2 3 | GET /web-security HTTP/1.1 Host: portswigger.net |
In the above request, the Host field is used in the HTTP headers to specify the server and port number for the requested resource. If no port is specified, this means the default port is 80. In case you want to specify the port (eg 8000) the request will look like this:
1 2 3 | GET /web-security HTTP/1.1 Host: portswigger.net:8000 |
Purpose of Host header
- The HTTP Host header makes it possible for the server to determine what components the client wants to communicate via IP address or URL (with port).
- If the requests do not contain a Host header or are sent malformed, it can lead to problems routing the requests to the intended application.
- With Virtual hosting support, you can use only one server, and use the information in the Host header to direct users to many different applications:
Model
With a server, you can direct users to example.com or an intranet-app of your choice by using a proxy server in the middle.
II. How can the HTTP Host header be hacked?
1. Host header injection attack
If the server fully trusts the HTTP Host header sent by the user and does not authenticate or handle the request properly, an attacker can use this input to inject payloads that can while also controlling server-side behavior. Attacks that involve injecting payloads directly into the HTTP Host Header are often referred to as “Host header injection”.
2. Some cases can be attacked Host header injection
- Without checking the user’s request, an attacker can inject malicious payloads into the HTTP header.
- Even if the HTTP Header is handled more securely, depending on the configuration of the server handling incoming requests, the value of the “Host” field could potentially be overwritten by including other headers.
- Due to misconfiguration on the website due to using 3rd party architecture
3. Some attack ways:
- Change the domain in the “Host” field of the HTTP Header request
1 2 3 | GET /example HTTP/1.1 Host: hacker-domain.com |
- Insert 2 “Host” fields in HTTP request
1 2 3 4 | GET /example HTTP/1.1 Host: vulnerable-website.com Host: hacker-domain.com |
- Add line wrapping characters (
r,n)
1 2 3 4 | GET /example HTTP/1.1 Host: hacker-domain.com Host: vulnerable-website.com |
- Pass the URL directly on the GET request:
1 2 3 | GET https://vulnerable-website.com/ HTTP/1.1 Host: hacker-domain.com |
- Insert the “X-Forwarded-Host” field to override the host:
1 2 3 4 | GET /example HTTP/1.1 Host: vulnerable-website.com X-Forwarded-Host: hacker-domain.com |
III. Attack Demo
Host Header Injection attack via Reset Password function:
Lab portswigger : https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-basic-password-reset-poisoning
Attack pattern
Attack method
Username of the victim : carlos ( carlos@carlos-montoya.net )
Step 1 : The password reset function uses the Host field value in the user’s request to generate a password reset link. The link structure would be:
https://$HOST/password/reset?token={token}
Step 2 : The attacker will try to change the Host field value to the domain of the attacker holding, the email will be the victim’s email. The request sent will be the following request:
Step 3 : When the victim receives a password reset link in the email, the victim clicks on the link. Because the link contains the attacker’s domain, then the attacker’s server will collect the link containing the victim’s token. Because of course, the link the victim receives will not work.
Step 4 : Because in the previous step, the victim clicked on the link (with a valid token but the wrong domain), so the token is still valid. At this point, the attacker only needs to take the token and change the domain of the website and from there the attacker can change the password of the victim’s account:
Step 5 : Result: BOOOOOOOOOOM
The victim’s account was stolen:
IV. Prevention:
- Config so that the website gets the current domain name that is pre-set in the server’s configuration instead of receiving it from the user’s request
- Check the request is sent, the Host header needs to be checked using a pre-set white list of hosts on the server to eliminate malicious hosts.
- Disable the function to allow override headers to avoid host header write attacks
- When using Virtual hosting, it is advisable to avoid placing internal pages together with public applications to prevent vulnerabilities caused by unsafe configuration.