To what attacks is using the value of the HOST header to craft self-referential URLs vulnerable?

Question

From official ASP.NET Core docs, namely Routing in ASP.NET Core § URL generation concepts:

Use GetUri* extension methods with caution in an app configuration that doesn't validate the Host header of incoming requests. If the Host header of incoming requests isn't validated, untrusted request input can be sent back to the client in URIs in a view or page. We recommend that all production apps configure their server to validate the Host header against known valid values.

(for those who don't know ASP: my understanding is that the GetUri* methods generate self-referential URIs by using the value of the Host header for the domain)

How can this be insecure?

I know that the Host header is in the control of the client. However, all such an "attack" can achieve is to substitute a link on a webpage with an "attacker"-generated value. This can be easily done with the browser console: just find a link and edit it. I can't see why would one want to do this either way.

I must be missing something. What harmful, malicious things can an attacker achieve by tricking the server to sent them back a link crafted by them?

Answer 1

With regard to "I know that the Host header is in the control of the client", and "What harmful, malicious things can an attacker achieve by tricking the server to sent them back a link crafted by them?": Whenever the server reflects information provided by the client to a a web page that the server generates, without sanitizing this input - this opens the door to a Reflected XSS Attack.

At first glance, it may seem that the attacker would simply be attacking himself, by sending a request to the server containing malicious content which simply gets reflected back to him. But, if the attacker can get the victim to make a request containing malicious content to the unprotected site (either by sending the victim a link in a phishing email, or by posting a link or form on a site that the victim visits), then the victim can be impacted. See What is Reflected XSS? and What is the danger of Reflected Cross Site Scripting? for more information on this type of attack, and the impact that it can have on the victim.

Having said that, most reflected XSS attacks are carried out using malicious content in the URL query string, or in the payload of a post request, or other fields in the victim's request that an attacker can populate. If the victim is using a modern web browser, then the HOST field of the request header may be more difficult for an attacker to populate. For more information on this, see How can I control the content of the HTTP HOST header in requests issued from my website?. But notwithstanding, it's a good practice to ensure that your site sanitizes all inputs in a client's request that may be reflected back to a web page that the server generates - including the HOST header.