What bridges a user and a business?
In other words, what connects enterprises to their target business audience? These are the websites or web applications that serve as the forefront of a business service. Nowadays, most businesses have multiple websites to connect their services to the intended audience and thus host header injection has also become a major security risk along with this.
With every advancement in the software application field, there is a weakness developing at the other end. These security flaws often go neglected in the software development life cycle and can pose a threat anytime later. Hence performing vulnerability assessments are an integral part of the security assessments for websites. Here is where host header attacks seem to disturb the application landscape.
Host header injection attack
The issue arises when a single web server hosts multiple websites or web applications with the same IP address. Usually, a host header determines which web application would process an incoming HTTP request. These headers carry a value and get absorbed by the server to dispatch the request to the intended reach.
So, what happens when an invalid host header is given by the user? Or, what happens if the host header gets altered and malformed by an attacker? It can lead to issues while routing requests. The process where an attacker provides false headers to the web application is known as a host header injection attack.
Here are the details on how host header vulnerability was spotted by Rishikesh K.S, Security Analyst, ValueMentor on the Opencagedata website. Now let’s move into his findings.
Into the vulnerability finding
It was during a routine testing time he found the vulnerability in the Opencagedata website. It was affecting most of the pages with redirection.
Detailing the discovery process
A mindful discovery process was soon alive.
He directed a post request on https://www.opencagedata.com//dashboard/update_details
POST /dashboard/update_details HTTP/1.1 Host: opencagedata.com X-Forwarded-Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://opencagedata.com/dashboard Content-Type: application/x-www-form-urlencoded Content-Length: 173 Connection: close Cookie: _opencagedata_geocoder_app_session=NSpPmMu21fwkQ%2F99euZ7Hmg5b6lYMg6BYaCjib8onZs4KLqZqrQMI3B7RO0XyAdh%2BP9KQJVgFWHQY9pAdE5IAK8iQC5WJzMZG4F6zYoxE6afqxf%2B%2BgjMOJ5MZHGQZfC4S5CekFOVItYyqXeQR2pJR4Opn0kfwEbRyS5Sq0JaybDYddF%2FdEDiylzQLyXPCtbWKYKCE8oA4XMCqRnBPu%2FxGEXRbjZZfWY%2FE5Ii%2FgKzSvy6rc2CUtWV7Al2Z1aVazIstVTUKTaDGjILNlIXsfldE1S7Avuwa3osOzEUTKTzc8i%2BRWNOW0VZWmouYky0ojMnm21dFc4npkYGgvbA3jNsnvHLdNA3RWcQ4FMhH0RWymFOS2h30lMoEP7%2BaUYIWDu8cOYDvPABmBhGcyZ0s1yDVBhVM6uhrbqrFaLjgP%2BQh8k1Jg%3D%3D--jS8Vz1ClDIIm5xlS--ZG7TftxNzd5s5%2FinCcaeeg%3D%3D Upgrade-Insecure-Requests: 1 _method=put&authenticity_token=ueUnnVcm50FgnkUqnO2gTIX6yXw8KS1mlHbwkqcbkqulBatFO30HbI7JZEg20AAiaowiwFJMx%2FDTE570W%2Fz8ng%3D%3D&user%5Bname%5D=lol&user%5Bcompany_name%5D=lol
By adding X Forwarded host as ‘attacker.com’, the webpage redirects to the intended ‘attacker.com’.
Application Wide- (Redirects)
A host header injection vulnerability can have adverse impacts on business enterprises. It can lead to phishing, password hijacking, session hijacking etc. Hence the vulnerability was spotted true to evidence, clarified, reported to the target, and fixed under the given timeline.
Discovered: 30 December 2019
Reported: 30 December 2019
Fixed: 31 December 2019
Added Insights on Host Header Injection
While the vulnerability goes hidden in many applications and websites, it can cause more harm if left behind. To efficiently tackle the issue, enterprises require a clear idea about host header injection techniques, motives, and impacts. There are different phases for host header attacks, such as;
- web cache poisoning
- X-forwarded host headers
- password reset poisoning
Why do Host Header Injection attacks happen?
The fuel factor for these attacks is HTTP headers, validating the user requests. Basically, these are injection attacks that target host headers. The issue here is these headers get dynamically generated. As a result, they can be altered, modified, or spoofed by attackers. Another cause of the attacks circles around input validations. If the websites fail to validate user inputs and verify host headers, this can lead to host injections.
Impacts of the vulnerability
Many websites and web applications don’t use adequate input validations measures against user requests. In other words, the server blindly trusts the host header value in an insecure way and fail to validate it. As a result, attackers can push invalid requests and flush in harmful payloads. They can also manipulate server-side behaviours towards an intended purpose. Host headers without validation can result in;
- URL redirections
- Password reset poisoning
- Session hijacking
- Credential piracy
- Financial losses
- Reputation harm
So far, we have traversed the identified host header injection vulnerability on a website. Developers still fail to realize that HTTP host headers could be easily accessed and controlled by users. Hence, web applications easily fall prey to host header attacks. As a counterpart, web developers should be mindful of host header issues. Tackling the vulnerability means protecting absolute URLs and the use of healthy validations for user input requests. Additionally, keep an eye on override headers. Also, deploy a whitelist of permitted domains and avoid internal-only virtual hosting’s.