HOST HEADER INJECTION

• Web servers are configured in a way to hosts several websites or web applications on the same IP address. That’s why the Host Header Injection occurs. The Host Header determines which site or web application should process an approaching HTTP request.
• The web server utilizes the Host Header parameter value to dispatch the request to the predetermined site or web application. Each web application hosted on the same IP address is commonly referred to as a virtual host.
• An attacker can manually divert the code to produce their desired output by simply editing the host header value. Most probably web servers are configured to pass the unknown host header to the first virtual host in the virtual host list without proper recognition.
• That’s why it is possible to send the HTTP requests with arbitrary host headers to the first virtual host.

Risk of Host Header Injection Attack?:-

??Many websites use the values provided in the user input field and use it afterwards without any improper input validation and this will not have that much impact on the application.

??But in some cases, if the application accepts the host header the risk lays there.

??Then the following may occur :

1. ?URL Redirection issues.
2. ?Username and password credentials may get stolen.
3. ?Password Reset Poisoning.
4. ?Session Hijacking Attack.
5. ?Financial loss may occur.

Phases of Host Header Injection :-

1)?Web Cache Poisoning With Single Host Header?:-

??The hacker needs to poison a caching proxy that is being run by the website itself like content delivery networks (CND’s) or other caching mechanisms that are carried out between the client and the server. In this scenario where caching is enabled.

??The hacker will potentially embed a remote URL as the base URL for any website. This causes other users, who request the site to get redirected unknowingly.

??The cache will serve the poisoned content to everyone who requested the webpage without the knowledge of the victim.

2)?Password Reset Poisoning :-

??The significant impact of Host header attack lies in the password resetting functionality.

??The most common scenario of this attack is that the hacker generates a secret token and then sends a mail that has a link containing the mysterious symbol of the hacker.

??The hacker then urges the user to make use of his link and also requests a password reset link that redirects the user to him.?

??If the web application makes use of this host header value when composing with the reset link and when the user clicks the poisoned reset link in the mail.

??The user will become a victim to the hacker. The attacker will obtain the password reset token and make use of his password for his destructive purposes.

3)?Web Poisoning With Multiple Host Headers?:-

??It is similar to that of web cache poisoning using the single header.

??The only difference in this type is that it uses multiple headers more than once to the users who request the website.

??By tampering with the header it is possible that the web cache will deliver the wrong content to the user without their knowledge.

4)?Routing based SSRF :-

??SSRF vulnerabilities are usually based on XXE or exploitable business logic that sends HTTP requests to URLs derived from user controlled input.

??Routing based SSRF on the other hand relies on the use of intermediate components that are popular in many cloud based architectures.This includes internal load balancers and reverse proxies.

??The privileged network location allows them to receive requests directly from the public network and access many, but not all, internal networks. This makes the host head a powerful carrier of SSRF attacks and it is possible to transform a simple load balancer into a gateway to the whole internal network.

• ?Without proper validation of the header value, the attacker can supply invalid input to cause the webserver to:

1. Dispatch requests to the first virtual host on the list.
2. Cause a redirect to an attacker-controlled domain.
3. ?Perform web cache poisoning.
4. ?Manipulate password reset functionality.
5. ?Manipulate business logic flaws in specific functionality.
6. ?Perform routing-based SSRF.
7. Disclose classic server-side vulnerabilities, such as SQL injection.

HTTP Security Headers?:-

??When a user visits a site through browser the server responds with HTTP Response Headers. These headers tell the browser how to behave during communication with the site. These headers mainly comprise of metadata.

??These headers can be used to outline the communication and improve web security:

i.??HTTP Strict Transport Security (HSTS)

??If a site is equipped with HSTS the server forces the browser to communicate over secure HTTPS,This way the possibility of an HTTP connection is eliminated entirely.

ii.??Content Security Policy (CSP)

??Content Security Policy protects against Cross Site Scripting and other code injection attacks and all the major browsers support it.

iii.??Cross Site Scripting Protection (X-XSS)

??X-XSS header protects against Cross-Site Scripting attacks. XSS Filter is enabled in Chrome, IE, and Safari by default. This filter doesn’t let the page load when it detects a cross-site scripting attack.

iv.??X-Frame-Options

??X-Frame-Options help guard against Attacks like Clickjacking. This is done by disabling the iframes present on the site. In other words, it doesn’t let others embed your content.

v.??X-Content-Type-Options

??The X-Content-Type header offers a?countermeasure against MIME sniffing.

??MIME sniffing can also be used to execute cross-site scripting attacks.

Tools to find Host Header Vulnerability?:-

??XFORWARDY(Python based Automated Scanner).

??Host Header Attack test.

??We can also use a intercepting proxy(Burp proxy) and manually test by using Burp Intruder and burp repeater.

How To Mitigate Host Header Attack?:-

??Validate and Sanitize the user supplied inputs properly.

??Proper validation of the request, whether it came from the original target host or not.

??Mitigate the Host header attack in Apache and Nginx by creating a dummy virtual host that catches all requests from unrecognized Host headers.

??Whitelist all the trusted domains at the initial phase of the web application.

??Respective mapping of the domains that are received in the host header of each HTTP request with itself.

??Use secure server configuration.

?

?

?

?