3

I am a beginner in security and reading about host header injection. I tested an application for this vulnerability and it is possible there for some request, but the developer implemented no-cache, no-store flags and this vulnerability is not in password reset request.

So first, there will not be cache poisoning, and second it is not happening in password reset request.

As I understand that to exploit this vulnerability, I change the host header. So I want to know why would it be a vulnerability? Why would a user want to change the Host of the application? And how can an attacker exploit it?

Anders
  • 64,406
  • 24
  • 178
  • 215
Pawan Dwivedee
  • 65
  • 6
  • 2
    I think you need to do a little more reading. This is well covered in many places out there: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html – schroeder Dec 20 '17 at 07:13
  • A server that accepts anything as a host header may make a [DNS rebinding attack](https://www.sjoerdlangkemper.nl/2017/09/13/attacks-on-host-header/) possible. – Sjoerd Dec 20 '17 at 08:02

1 Answers1

1

The thing with host header injection is that it can allow an attacker to control part of a response. From a great article at Acunetix:

The PHP script in the following example is a typical and dangerous use of the host header.

<script src="http://<?php echo _SERVER['HOST'] ?>/script.js">

An attacker can potentially manipulate the code above to produce the following HTML output just by manipulating the host header.

<script src="http://attacker.com/script.js">

But if you are only manipulating the response you get yourself, this isn't very useless. After all, XSS:ing yourself isn't that fun. You need to change the response your victim get, but you can't modify the host header of your victims request. Whats to do? There are two common ways:

  • Cache poisoning: If the response that loads a script from attacker.com is cached at some server, it will be served to others as well. Bingo!
  • Password reset: If you can modify the password reset link that is sent out in emails, you can steal the password reset token once the victim clicks it. (Note that this is not modifying the HTTP response, but rather an email the server sends.)

So if none of this works, does that mean everything is good and well? Not really. It probably mean that this can't be exploited at the moment, at least not in an easy way, but it is still bad and something that should be reported in a pentest report. Because what happends if someone changes the chache policy one day? You don't want to be just a server reconfig away from getting owned.

Community
  • 1
Anders
  • 64,406
  • 24
  • 178
  • 215
  • Here's another possibility; https://labs.detectify.com/2016/10/24/combining-host-header-injection-and-lax-host-parsing-serving-malicious-data/ Though it has a number of pre-requisites. – 1lastBr3ath Jan 07 '18 at 03:24