Blog single

Host Header Injection Discovery at Apple’s Portal for Law Enforcement Authorities

Host Header Injection Attack

With the exponential rise of business in response to digital calls and customer needs, web applications have become an irresistible part of our daily lives. The surge has benefits on one end but has paved the way for attacks and flaws on the flip side. The tech blog entails a critical finding of Host Header Injection by Melbin, Security Analyst at ValueMentor, who is one of our trusted pillars in penetration testing web services.

Nowadays, it has become a common practice to host multiple websites on the same server. The web applications share a single IP address, where each of them gets referred via the virtual host. Here is where the host headers come to the forefront, where it enables the webserver to decide which web application must process the approaching user HTTP request.

Once the user sends the request to a web application, the server uses the value of the host header to dispatch the request to the intended application. The challenge is where anyone can specify an invalid or misleading host header. Lack of validation controls can easily exploit the condition and is known as a host header injection attack. Before driving the wheels to the finding, let us mention the exact purpose of the HTTP host header and what an exploit means to the webserver.

Purpose of HTTP Host Header

The prime function of the host header is to inform the webserver which backend component the user requires to communicate. Inclusion of misdirected/faulty host header value in the HTTP request is an effortless job for intruders. They can build a barrier against the intended destination and route the request accordingly. More and more dependence on cloud-based solutions has fuelled the situation where a single IP address belongs to multiple web applications. The root cause is improper validation controls of the user requests, and it has caused the webserver to;

  • Dispatch request to initial virtual host in the list
  • Route requests to unintended attacker-controlled domains
  • Perform web cache poisoning
  • Hijack password reset functionality
  • Grant access to areas not intended to be externally accessed

Detection of Host Header Injection in Apple’s Portal

Issue

Host Header Injection at Apple’s portal for Law Enforcement Authorities

Discovery Process

  • The initial process involved the usage of the ‘sublist3r’tool to identify and detect the subdomains of apple.com. The very tool has aided him to arrive at the domain ‘plec.apple.com’.
  • The next phase involved the usage of the Burp Suite Professional tool. It is a proxy-based tool utilized by our pen-testing team to evaluate the security of web applications. The Burp Suite tool has helped him to examine the requests and responses.
  • The identification was that the domain provided in the ‘Host’ and ‘X-Forwarded-Host’ headers gets reflected in the response headers and body. Host header injection detected, documented, and shared finding screenshots and report to Apple for rectification efforts.

Detailing the Steps

Send a GET request to https://plec.apple.com/sign_in with Host Header evil.com.

GET /sign_in HTTP/1.1

Host: evil.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Cookie:
Upgrade-Insecure-Requests: 1

The response recorded was a 302 redirect to https://evil.com/auth/appleconnect

HTTP/1.1 302 Found

Content-Type: text/html; charset=utf-8

Connection: close

Status: 302 Found

X-Request-Id: c98562df-8e37-4ec8-bd3d-b03191c70cb8

Location: https://evil.com/auth/appleconnect

X-Download-Options: noopen

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 100

<html><body>You are being <a href="https://evil.com/auth/appleconnect">redirected

The same response can be arrived at by using the X-Forwarded-Host header. Deeper exploitation of the finding was not possible as he could not access the Apple law Enforcement App. The issue was reported and fixed by the Apple Team by redirecting the requests to https://plec.apple.com/sign_in to the apple SSO page.

Timeline

Reported – 17 Feb 2021

Triaged – 18 Feb 2021

Confirmed Fix – 5 May 2021

Gauged Insights on the findings

The garnered insight through this testing approach connected to application security assessment is that developers today heavily rely on HTTP host header values which is not acceptable to many levels. They use host headers to generate links, import scripts, and at the same time, use them even to create password reset links. The idea is not a great one as you are giving an open chance to an attacker to take possession of what you have. These host headers could be exploited by attackers in multiple ways and shoot at the security of web applications and usage reliability. The test conducted here was able to peel the vulnerable side of the portal towards the host header injection attack.

Exploiting ways of Host Header Injection

  • Password reset poisoning

Attackers seldom use host headers for password reset poisoning. It is a manipulating technique deployed by attackers to create password reset links directing to a domain under their privilege and control. The condition can stretch towards stealing password tokens needed to reset arbitrary user credentials and ultimately compromising user accounts.

  • Web cache poisoning

Using web cache poisoning, attackers can manipulate a web cache to deliver malicious/poisoned content to the user requests. The process depends on poisoning the caching proxy managed by the application, CDN or other downstream providers. As an aftermath, the victim suffers uncontrollable poison of contents flushed to his application request.

  • Server-side vulnerability exploit

Host headers are a potential threat to your classic server-side vulnerabilities. An attacker could easily adjoin any exploit vector to increase the potential impact of the host header attack. Say, for example, they could make the SQL injection technique as a part of the host header and use it for passing values to the SQL database. If it reaches the intended destination, the after backs could be hefty.

  • Authentication bypass

Websites restrict access to certain functionalities to their internal users. They build authentication or access controls for enabling the same. But host headers with little alterations could surpass the weak access policies governing the website. The very process could reflect a larger attack surface, making it hard for mitigation efforts.

  • Virtual host brute forcing

Business organizations sometimes make an error of hosting openly accessible and private internal websites on the same server. In some instances, internal websites may not have public DNS records connected with them. If an attacker could somehow guess the hostname, they have a wide possibility to access any virtual host on any server. In other ways, if an attacker could sort out the hidden domain names or use a burp intruder, they can make direct requests and brute force the virtual host.

  • Routing based SSRF

The standard SSRF vulnerabilities rely on XXE and exploitable business logic that sends HTTP requests to URLs. Routing based SSRF leverage specific components in the cloud base architectures, such as internal load balancers and reverse proxies. They receive requests and transmit them to the relevant backend. Any missing configuration of a weak host header validation can give the attacker a chance to re-route them to their controllable zones.

Recommended Preventions to Host Header Injection

The simplest way to overlook host header vulnerabilities and prevent them is by avoiding the over-reliance and usage of host headers in the server-side codes. Tight inspecting and double-checking URLs could be helpful. Here are some other ways that can aid companies to prevent host header attacks.

  • Secure absolute URLs
  • Validation of host headers
  • Backing from host override headers
  • Mindful on internal-only virtual hosts

The blog is a hall of fame success finding by Melbin Mathew (Security Analyst at ValueMentor), which is an inspiration to the whole tech team and the organizational values that we uphold. We have tailed some additional information on various kinds of host header attacks and the simple prevention things that an organizations security wing could deploy at the earliest. ValueMentor cyber security services are an open door to all your cyber security worries, and we go equipped to serve you to safer heights.