Host Header Vulnerability
Published Nov 25 2019 11:31 AM 34.4K Views
Microsoft

Browsers send Host Header to inform about the URL client wants to visit. Attackers can temper Host Header to manipulate how the application works. Here is how this attack occurs:

 

  1. Attacker makes a request with edited Host Header (Example: malicious-site.com)
  2. Web server receives this Host Header (malicious-site.com)
  3. If the application is using this Host Header in a link, the malicious site will be displayed. For example, the application may be calling a JS file with Host Header string. In this case, the website will call an address like the one below which points to attacker’s site:
    <script src="http://malicious-site.com/script.js">

This type of attack can affect password reset forms and X-Forwarded-Host header as well.

 

Solution

Security scan tools may flag Host Header related findings as a vulnerability. Here are the best practices for preventing attackers using Host Header:

  • Do not use Host Header in the code
  • If you have to use it, validate it in every page
  • Use hostnames in all IIS websites
  • Disable support for X-Forwarded-Host

URL Rewrite rules can be used to find malicious host headers:

  1. Click on the site in IIS  Manager
  2. Go to “URL Rewrite” (it should be installed first)
  3. Click “Add Rule(s)
  4. Select “Blank rule
  5. For “Match URL” section, enter (.) into the “Pattern
  6. In “Conditions” section, click “Add
  7. Enter {HTTP_HOST} into “Condition input
  8. Select “Does Not Match the Pattern” from “Check if input string” list
  9. Enter ^([a-zA-Z0-9-_]+.)*domain.com$ into “Pattern” field (change domain name with yours)
  10. For the “Action” section, select “Redirect” from the “Action type” list
  11. Enter your domain address (https://domain.com/) in the “Redirect URL
  12. Select “Permanent (301)” from the “Redirect type” list
  13. Click “Apply

1.jpg

10 Comments
Version history
Last update:
‎May 13 2020 07:15 AM
Updated by: