3

I have recently launched a new django based api, and quite quickly, I started to receive INVALID_HOST_HEADER SOME RANDOM URL errors. My understanding is that this is caused by somebody manually changing the HOST header, or proxying my API through some other domain.

This is probably a basic question, but what is the point? What are they trying to achieve? Presumably it's not a regular MITM attack, because it would be easy enough to correct the HOST header on its way out of the middle server, and they're not doing so.

Alex
  • 185
  • 5

2 Answers2

0

Using a proxy isn't necessary. I wrote a PowerShell module SocketHttpRequest which allows one to submit a custom HTTP request to a destination. It was created to test applications without having to modify DNS or the local hosts file.

netcat is another option: How to make an HTTP GET request manually with netcat?

In terms of what they're trying to achieve:

1) IP Address

Many internet scanners just scan IP address ranges looking for vulnerable web servers. When a web server is found, they send it a request using the destination IP address as the host header value (e.g. Host: 1.1.1.1). No additional steps are taken to determine what website is actually being hosted (e.g. reverse dns lookup).

2) Alternative Host Values

Occasionally a request for an unknown host header value will be submitted. This is to see if the web server will respond with the "default" website; which allows any host header value and should be avoided. This is of greatest concern for web applications and Content Management Systems (CMS) that may rely on the host header value for generating links and other tasks.

Example: Suppose your website is configured to allow any host header value and all links are dynamically generated based on that value. I register a domain bad.com to your web server IP address. Upon visiting bad.com, your website is displayed with all the links resolving to bad.com.

3) Security Filtering

In some cases, modifying the Host: value is an attempt to bypass or enumerate any security filtering in place. This could be a Web Application Firewall (WAF), load balancer, web server, or modules within the application itself.

Fix

The best fix for this is two-fold.

  1. Websites should only respond to requests for the host header values registered in DNS. "Default" websites should be avoided.
  2. Applications should use Host values from configuration files and not rely on the server providing this value. This defense in depth mitigates the risk of a misconfiguration.
phbits
  • 1,002
  • 2
  • 5
  • 12
-2

This article explains the host header attack https://www.acunetix.com/vulnerabilities/web/host-header-attack/

[EDIT] I will expand on my answer as requested in the comments. Attackers use the host header attack in attempt to get the targeted site to generate links using the attacker supplied Host header, hoping that the target site trusts the supplied header rather than using the internally configured SERVER_NAME. This by itself isn’t an issue as the malicious links generated in the http response will only be sent to the attacker. However, this can become an issue if those generated links get cached by a shared proxy that legitimate users also use. Such as a reverse proxy that sits in-front of the site. Additionally if the server stores those links for re-use or emails them to legitimate user’s such as a password reset link it could also be exploited.

On a related topic, attacker’s could also be fuzzing the host header in their requests in attempt to enumerate other virtual hosts configured on that server (see Named-Base Virtual Host in apache docs https://httpd.apache.org/docs/2.4/vhosts/name-based.html) [/EDIT]

ansichart
  • 777
  • 4
  • 12