6

Is anyone familiar with a way in which I can post a link on my website, that when accessed will cause users to issue an HTTP request to a 3rd party site with custom content in the HOST header (different from the actual host/domain to which the request is sent to on the IP level)? A short example to clarify my intention - a request sent to www.example.com:

GET / HTTP/1.1
Host: $$CUSTOM_PAYLOAD$$ (not www.example.com)
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

I have seen several discussions on the subject of issuing requests with CUSTOM headers, but this is not the case as the header is a legitimate header accepted by the recieving party. In addition, I have seen various publications on attacks (mainly reflected XSS) that rely on malicious input in the HOST header, although I am not quite sure how they can be executed.

user3074662
  • 541
  • 2
  • 6
  • 11
  • Hi, I haven't found a way to perform this task (apart from the flash vulns which only work on out of date flash versions). If you are familiar with more ways to perform this (that have not been mentioned here) - It would be greatly appreciated. – user3074662 Dec 30 '13 at 06:53

3 Answers3

6

If you want the user to issue the request, then it is not possible to do this with an XMLHttpRequest:

Terminate these steps if header is a case-insensitive match for one of the following headers:

Accept-Charset

Accept-Encoding

Access-Control-Request-Headers

Access-Control-Request-Method

Connection

Content-Length

Cookie

Cookie2

Date

DNT

Expect

Host

Keep-Alive

Origin

Referer

TE

Trailer

Transfer-Encoding

Upgrade

User-Agent

Via

However, this did used to be possible in Flash due to a bug in versions 7 and 8 when used in combination with IE:

In IE, it is also possible to overwrite some more sensitive headers (e.g. Host and Content-Length) by appending colon to the header name (this technique was described in [3] in the context of XmlHttpRequest):

req.addRequestHeader("Host:","foobar.site");

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
3

Using a tool like cURL you can issue requests and specify any request you want. This post goes over setting the Host header in a request.

Since you control the website, would it be possible for you to have the link initiate a request to your own server that fires a customized HTTP request to the target site using cURL or some other tool that lets you specify the Host header?

Depending on what programming language you are using on the server side you may be able to do it directly from there which would be a better option.

Community
  • 1
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • Thanks for the advice, I can use any language that fits the needs, the question is - would the response to the HTTP request be returned to the original user pressing the link, as if he was the one that issued the request with the custom host header? – user3074662 Dec 10 '13 at 11:39
  • Sure, if you forward it on to them. Of course, you can modify it in any way you'd like... you're basically just setting up a MitM. – Xiong Chiamiov Dec 10 '13 at 22:40
  • Haa I see. So this vector won't work in case the 3rd party site uses SSL. – user3074662 Dec 11 '13 at 07:49
1

Update: This doesn't work. Kudos to OP for trying it! Leaving "answer" to save others the time :)

Disclaimer: I haven't tried this and have no idea if it will work :)

If your page included JavaScript, the theoretically could use XMLHttpRequest and setRequestHeader to generate a request such as you describe.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    Thanks,I tried this but the request was issued with only the original host header. The ajax header did not override the original host header (it actually wasn't included in the request at all, I was only able to create headers different than HOST). – user3074662 Dec 09 '13 at 17:06