0

If I go to the http site e.g. http://www.example.com the site will redirect (code 301) to the https version https://www.example.com. On various pentests I observed that if I modify the Host header in the http request the Location header in the response (of the redirect 301 response) would use that value for the redirect. For example

 GET / HTTP/1.1 
 Host: www.example.com --> www.gulu.com

 HTTP/1.1 301
 Location: https://www.example.com --> https://www.gulu.com

(the tcp frames destination ip is of course still the original one in the request above) This is a vulnerability as the server uses the unvalidated Host headers value.

But how could someone realistically leverage that vulnerability for exploitation e.g. redirect a victim to a malicious website? I couldn't come up with a scenario where I would be realistically able to manipulate the host header of a victim's request (only man in the middle, I guess could work) or make the victim click on a link that would perform such a manipulation.

Does someone have some insight into this?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Zapho Oxx
  • 13
  • 3

1 Answers1

-1

No matter that some specs say that some headers cannot be modified programmatically; at level programming language it is possible:

So, I think someone could exploit this vulnerability in the following ways:

Browser side

  • Malicious browser
  • Use of Tampermonkey scripts without validation
  • Unsafe plugins

Loadbalancer side

These tools allow us to modify headers, so reading your question, I imagine that someone authorized or unauthorized could exploit this vulnerability.

Nginx example:

server {
    listen 80;
    location / {
        # set real host
        #proxy_set_header Host $http_host;
        # set whatever you want
        proxy_set_header Host "malicious.com";
        proxy_pass http://real.site:1234;
    }
}
schroeder
  • 123,438
  • 55
  • 284
  • 319
JRichardsz
  • 114
  • 2
  • 2
    You are basically saying that a reflected host header can be used as attack vector if client or server side infrastructure (load balancer) is already compromised. If this is the case this kind of attack is not even needed since much worse attacks are possible with this compromised infrastructure already without host header reflection. – Steffen Ullrich Jul 26 '21 at 15:49
  • Question owner said: I couldn't come up with a **scenario** where I would be realistically able to manipulate the host header. I show these scenarios – JRichardsz Jul 26 '21 at 16:19
  • I do not consider any of the scenarios you show realistic. If an attacker has already the kind of deep access you describe as necessary, then the attacker would not care about this specific attack since the attacker has much more powerful attacks. – Steffen Ullrich Jul 26 '21 at 16:28
  • Thanks for share me your feedback. I'm here to learn about security. In the case of loadbalancer, if the attacker gain access just to this server and wants to be unnoticed? If I'm an attacker and I see a lot of ips in the nginx configuration, I could choose one, modify its host header, catch some users and then revert to the original host. Do you think it is possible? – JRichardsz Jul 26 '21 at 17:04
  • While it is not unlikely that the attacker wants to be mostly stealth and only modify specific requests I find it unlikely (but not impossible) that they will for this rely on an additional vulnerability in the server. This would make the attack depend too much on something out of control of the attacker, since the vulnerability might eventually get fixed. – Steffen Ullrich Jul 26 '21 at 17:10
  • You said that it is possible, So, don't you think that nginx is an scenario in which host header reflection could cause problems? If somebody reads my answer, will want to review its nginx to check if somebody (temporary attacker, inside malicious person, old administrators, etc) is modifying the host. – JRichardsz Jul 26 '21 at 17:47
  • *"You said that it is possible"* - Lots of things are possible. It is important though to focus on the likely things first and then on the less likely things (if there is even time for that). It is not really important to check the nginx config specifically for host header manipulation. Instead it is more important to check if the nginx configuration was modified by by somebody else since this can indicate a system compromise. – Steffen Ullrich Jul 26 '21 at 18:15