0

I was reading about host header injection and found many reports on hackerone.

Assume that if you inject X-Forwarded-Host header to specific requests, you may cause a redirect which can impact the people on the network (eg:https://hackerone.com/reports/158019). But how could this be possible? Because from what I know if the site using SSL protocol, then all headers will be encrypted all over the network, then how can I add the X-Forwarded-Host?

DannyNiu
  • 328
  • 2
  • 14
Malek
  • 23
  • 5

1 Answers1

1

TLS/SSL protocol ensures both the confidentiatlity and integrity of the communication, and thus, a proxy without a certificate trusted by the user agent cannot insert any header.

The attack is only possible when:

  1. an HTTPS proxy with a certificate trusted by the user agent,
  2. modifies in-bound HTTP messages tricking the origin server,
  3. origin server didn't configure a default fall-back virtual host to handle un-recognized Host header values, and mishandled the modified HTTP request.

This is generally not possible in end-user browsers, as Host is a forbidden header and JavaScript cannot set it. Host can be altered however, using programs (curl, wget) and libraries (okhttp, libcurl) programmatically; in which case, social-engineering is needed to realize the effect of the exploit.

As mentioned in the link in the question, the some participants of the thread (see the bottom of the page) doesn't consider the impact of Host header injection a major exploit.

DannyNiu
  • 328
  • 2
  • 14