Host Header Injection

Introduction

A host header injection vulnerability is a type of web vulnerability that occurs when an attacker can manipulate the Host header of an HTTP request, and the web application does not correctly validate the host header of incoming requests.

The attacker can supply invalid input to cause the webserver to:

• Dispatch requests to the first virtual host on the list.

• Perform a redirect to an attacker-controlled domain.

• Perform web cache poisoning.

• Manipulate password reset functionality.

• Allow access to virtual hosts that were not intended to be externally accessible.

Test Host Header injection

There are several techniques you can try to test this vulnerability.

On an HTTP request, modify the Host header value as follows:

• Messing with the port number: example.com:<STUFF_HERE>

• Adding an @: example.com:1234@<MALICIOUS_DOMAIN>

• Adding carriage return and line feed: example.com%0d%0aLocation: malicious.com

• Malicious domain: example.com.malicious.com

• Inject duplicate Host Headers:

GET /example HTTP/1.1
Host: example.com
Host: malicious.com

• Supply an absolute URL on the HTTP path:

GET https://example.com/ HTTP/1.1
Host: <BAD_STUFF>

• Indent headers:

GET /example HTTP/1.1
    Host: <BAD_STUFF>
Host: example.com

• Use host override headers: A host override header can be used to redirect a request to a different server or impersonate a legitimate server. To discover the headers supported by the server, you can use the Burp Suite extension Param Miner by right-clicking on the request and then Extensions/Param Miner/Guess params/Guess headers , or try the following wordlist.

GET / HTTP/1.1
Host: example.com
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-IP: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Host: 127.0.0.1
X-HTTP-Host-Override: 127.0.0.1
X-Client: 127.0.0.1
X-Host: 127.0.0.1

Password Reset Poisoning

Some web applications generate the password reset link using the Host header value sent on the request. In this case, an attacker can send a malicious request with the attacker's domain as host, then if the victim clicks on the received link, the attacker will receive a request on its server with the victim's token.

Accessing Private Virtual Host

An organization might have several sites hosted on the same web server, so they may have virtual hosts that are not intended to be externally accessible. To discover those hidden virtual hosts you can execute the following command.

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u https://website.com/ -of md -o vhosts.txt -H "Host: FUZZ.example.com"

References