Blog Post

IIS Support Blog
2 MIN READ

Host Header Vulnerability

Nedim's avatar
Nedim
Iron Contributor
Nov 25, 2019

Browsers send Host Header to inform about the URL client wants to visit. Attackers can temper Host Header to manipulate how the application works. Here is how this attack occurs:

 

  1. Attacker makes a request with edited Host Header (Example: malicious-site.com)
  2. Web server receives this Host Header (malicious-site.com)
  3. If the application is using this Host Header in a link, the malicious site will be displayed. For example, the application may be calling a JS file with Host Header string. In this case, the website will call an address like the one below which points to attacker’s site:
    <script src="http://malicious-site.com/script.js">

This type of attack can affect password reset forms and X-Forwarded-Host header as well.

 

Solution

Security scan tools may flag Host Header related findings as a vulnerability. Here are the best practices for preventing attackers using Host Header:

  • Do not use Host Header in the code
  • If you have to use it, validate it in every page
  • Use hostnames in all IIS websites
  • Disable support for X-Forwarded-Host

URL Rewrite rules can be used to find malicious host headers:

  1. Click on the site in IIS  Manager
  2. Go to “URL Rewrite” (it should be installed first)
  3. Click “Add Rule(s)
  4. Select “Blank rule
  5. For “Match URL” section, enter (.) into the “Pattern
  6. In “Conditions” section, click “Add
  7. Enter {HTTP_HOST} into “Condition input
  8. Select “Does Not Match the Pattern” from “Check if input string” list
  9. Enter ^([a-zA-Z0-9-_]+.)*domain.com$ into “Pattern” field (change domain name with yours)
  10. For the “Action” section, select “Redirect” from the “Action type” list
  11. Enter your domain address (https://domain.com/) in the “Redirect URL
  12. Select “Permanent (301)” from the “Redirect type” list
  13. Click “Apply

Updated May 13, 2020
Version 2.0

13 Comments

Sort By
Show More
  • zazajoby's avatar
    zazajoby
    Copper Contributor
    May 14, 2020

    For “Match URL” section, enter (.) into the “Pattern

    (.) will match only the first character of the input string. 

    (.*) will match the whole input string twice because of the grouping parenthesis

    .* will match the whole input string in a single pass

    Is the intent to match only the first character of an input URL? Just be looking at the rule, I would guess it would cause all requests to the webserver to be redirected.

     

    Enter ^([a-zA-Z0-9-_]+.)*domain.com$ into “Pattern” field (change domain name with yours)

    You may want to escape the "." as in ([a-zA-Z0-9-_]+\.) and domain\.com, to ensure that the regex engine interprets the dot as a literal rather than a wildcard for any single character. As the pattern is currently written, an input string containing sv123!domain_com or domain;com would match.

    Also, it might make sense to limit repetition of the ([a-zA-Z0-9-_]+\.) pattern. Maybe use {0,2} instead of right after it. That would allow a match of zero to two subdomain levels max, such as mydomain.com, or server1.mydomain.com, or server1.svgroup0.mydomain.com.

     

  • Nedim's avatar
    Nedim
    Iron Contributor
    May 13, 2020

    Thanks for checking out the post and point out the typo, Hiep! I have updated it

  • Hiep_Le's avatar
    Hiep_Le
    Copper Contributor
    May 13, 2020

    Nedim,

     

    Thanks for the great article!

    However I would like to point out a typo.

    At step 9 you're missing an asterisk before the domain.

    Instead of "^([a-zA-Z0-9-_]+.)domain.com$", it should be "^([a-zA-Z0-9-_]+.)*domain.com$"

     

    Regards,

    Hiep Le