1

I have been researching http host header attacks. There are many examples such as <a href="https://_SERVER['HOST']/support">Contact support</a>. Why would anyone use an absolute path for resources served by the same server? I've only seen absolute paths to link to different servers. For example I would expect <a href="/support">Contact support</a> Since the href has a leading forward slash the support page is relative to the root url. Can a webserver that uses relative paths for all resources it serves still be exploited by HTTP Host Header attacks?

Paul Blackburn
  • 11
  • 2

2 Answers2

1

Why would anyone use an absolute path for resources served by the same server?

One of the more common way that you can actually exploit the Host header is in something like a password reset form. You make a request to reset the victim's password with a tampered header of Host: attacker.com, and then in the email they receive, the link will point to something like https://attacker.com/reset?token=abc123 - which lets you steal the token when they click the link.

Exploiting them directly in the application itself is difficult, because you need to be able to cause your victim's browser to make a request with the modified header - and if you can do that then there are lots of more interesting attacks that you can do.

Can a webserver that uses relative paths for all resources it serves still be exploited by HTTP Host Header attacks?

You won't be able to tamper the header to cause links to point to other servers (although as discussed above, this is hard to exploit on a website). However, the Host header is just like any other user input, so you can still find vulnerabilities such as SQL injection, and also potentially things like response splitting by injecting CRLF characters. If the value of the Host header is included in any backend logs, you could also end up with XSS.

Gh0stFish
  • 4,664
  • 14
  • 15
-1

The portswigger page on HTTP Host header attacks says that relative path usage helps to protect against HTTP Host header attacks. More broadly, you should not make server-side use of the header at all in order to avoid this particular vulnerability.

To prevent HTTP Host header attacks, the simplest approach is to avoid using the Host header altogether in server-side code. Double-check whether each URL really needs to be absolute. You will often find that you can just use a relative URL instead. This simple change can help you prevent web cache poisoning vulnerabilities in particular.

jaredad7
  • 173
  • 8
  • In my opinion this does not answer the question. The question is asking for other ways apart from absolute path where Host header attacks can occur. You instead answer that relative path help against (some) Host header attacks - which was already known by the OP. Neither you nor what you cite claim that relative path helps again **all** Host header attacks. In fact, the very page you cite contains some (vague) information where it can also occur, like cache poisoning, business logic flaws, SQL injection ... – Steffen Ullrich Nov 15 '21 at 17:02
  • @SteffenUllrich I feel like we read completely different questions. The user's main focus was on absolute paths being used as a vector for Host Header attacks, so my answer mainly focused on that. Additionally, the user asked if webservers using relative paths can still be exploited. This is answered, too. "More broadly, you should not make server-side use of the header **at all** in order to avoid this particular vulnerability." – jaredad7 Nov 15 '21 at 17:54
  • In addition, the linked material goes into greater detail on the specific vectors for the attack and mitigation options. – jaredad7 Nov 15 '21 at 17:56
  • *"I feel like we read completely different questions."* - yes, it looks like. For me the part *"Can a webserver that uses relative paths for all resources it serves still be exploited by HTTP Host Header attacks?"* clearly shifted the focus away from path - since if no Host header is in the path it clearly could not do harm to the path. But this might not be obvious to the OP, in which case the question is still about the path, i.e. your interpretation. Unfortunately I cannot remove the downvote unless you edit your answer, so maybe extend it more to cover the other interpretation too? – Steffen Ullrich Nov 15 '21 at 18:15