2

I am new to this field and would like to know how the flow happens in a host header injection attacks.

I believe it's as below:

  1. Client generates the request.

  2. Attacker manipulates the request and changes the host header (to say example.com).

  3. Server (abc.com) receives the request and resolves to the manipulated host(here example.com).

If the above were true, does this mean that SSRF is possible using host header as example.com would think request coming from abc.com?

Could you please clarify?

Anders
  • 64,406
  • 24
  • 178
  • 215
pratik pattanaik
  • 21
  • 6
  • You might want to give more context and clarify why you asked "example.com would think request is coming from abc.com" rather than "receive a request from". – Enos D'Andrea Mar 17 '19 at 18:44
  • I think your flow is wrong. In a host header injection attack, the attacker is the one that sends the request. What you are describing sounds more lika a MITM situation, where the attacker manipulates a request sent by a victim client. – Anders Mar 18 '19 at 07:59

2 Answers2

1

The host header can be seen by the application, and requests with non-existent hosts are submitted to the default virtualhost, so the answer can be yes.

In order to have a SSRF vulnerability on the host header all the following factors must be present:

  • The web server must be configured with a default virtualhost
  • The server-side code must use the server name (or the host header directly)
  • The server side code must not check the server name against a whitelist
  • The server-side code must use the server name in a dangerous way (e.g. as code or as part of a network request)

In this blog post you can find the theory behind it for PHP.

Enos D'Andrea
  • 1,047
  • 5
  • 12
0

The question a bit broad in my opinion. However, in simple word(s), yes.

Have a look at this article, posted by Ian Muscat at the Acunetix website, showing PHP that is vulnerable to Server Side Request Forgery.

Joezer
  • 101
  • 3