My team's been doing some research into WAF protections based upon a WAF testing tool released at Black Hat this year. In the tool, there's a list of hostname evasion tests - that are really just an outline of ideas for testing manually.
There's just one that has us stumped - what is a "Trailing host header" as a hostname evasion technique?
Can anyone suggest a viable test for this?
The Host-header is used by the client to indicate with which server name it wants to speak. Multiple websites may be served off from a single IP address.
In the HTTP protocol, data may be sent in multiple chunks. This is especially useful if the server does not know the size of the data before completing the request (e. g. a live stream or a web application that starts to send some results while still working on the rest).
See 3.6.1 Chunked Transfer Coding for details:
The chunk-size field is a string of hex digits indicating the size of the chunk. The chunked encoding is ended by any chunk whose size is zero, followed by the trailer, which is terminated by an empty line.
The trailer allows the sender to include additional HTTP header fields at the end of the message.
Even if a client is uploading something of unknown size, it will know the target location at the time, it opened the connection. Therefore it does make no sense to put the Host header into the trailing section behind the data.
The situation may be exploitable, if the request is handled by a reverse proxy (aka web application firewall) that handles access rules: The reversed proxy may see one of the host header, but the web application may see the other one.
