Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1031958%22%20slang%3D%22en-US%22%3EHost%20Header%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1031958%22%20slang%3D%22en-US%22%3E%3CP%3EBrowsers%20send%20Host%20Header%20to%20inform%20about%20the%20URL%20client%20wants%20to%20visit.%20Attackers%20can%20temper%20Host%20Header%20to%20manipulate%20how%20the%20application%20works.%20Here%20is%20how%20this%20attack%20occurs%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAttacker%20makes%20a%20request%20with%20edited%20Host%20Header%20(Example%3A%20malicious-site.com)%3C%2FLI%3E%0A%3CLI%3EWeb%20server%20receives%20this%20Host%20Header%20(malicious-site.com)%3C%2FLI%3E%0A%3CLI%3EIf%20the%20application%20is%20using%20this%20Host%20Header%20in%20a%20link%2C%20the%20malicious%20site%20will%20be%20displayed.%20For%20example%2C%20the%20application%20may%20be%20calling%20a%20JS%20file%20with%20Host%20Header%20string.%20In%20this%20case%2C%20the%20website%20will%20call%20an%20address%20like%20the%20one%20below%20which%20points%20to%20attacker%E2%80%99s%20site%3A%3CBR%20%2F%3E%3CSCRIPT%20src%3D%22%26quot%3B%26lt%3BA%22%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttp%253A%252F%252Fmalicious-site.com%252Fscript.js%26amp%3Bdata%3D02%257C01%257CNedim.Sahin%2540microsoft.com%257Cd2de40c566894e36236108d76fa20dbd%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637100614111279219%26amp%3Bsdata%3D4GIWI2w99%252FUYxXKyC31eRniS5fvkBdxy64NMtFGCDFg%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmalicious-site.com%2Fscript.js%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FA%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bquot%3B%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FOL%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BThis%20type%20of%20attack%20can%20affect%20password%20reset%20forms%20and%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3BX-Forwarded-Host%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3Bheader%20as%20well.%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BH2%20id%3D%22toc-hId--1442286369%22%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FH2%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BH2%20id%3D%22toc-hId-1045226464%22%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BSolution%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FH2%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BSecurity%20scan%20tools%20may%20flag%20Host%20Header%20related%20findings%20as%20a%20vulnerability.%20Here%20are%20the%20best%20practices%20for%20preventing%20attackers%20using%20Host%20Header%3A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BUL%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BDo%20not%20use%20Host%20Header%20in%20the%20code%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BIf%20you%20have%20to%20use%20it%2C%20validate%20it%20in%20every%20page%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BUse%20hostnames%20in%20all%20IIS%20websites%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BDisable%20support%20for%20X-Forwarded-Host%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FUL%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BURL%20Rewrite%20rules%20can%20be%20used%20to%20find%20malicious%20host%20headers%3A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BOL%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BClick%20on%20the%20site%20in%20IIS%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3B%20Manager%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BGo%20to%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BURL%20Rewrite%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20(it%20should%20be%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.iis.net%252Fdownloads%252Fmicrosoft%252Furl-rewrite%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bdata%3D02%257C01%257CNedim.Sahin%2540microsoft.com%257Cd2de40c566894e36236108d76fa20dbd%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637100614111289213%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bsdata%3D71Ib%252FZ6bF0ZwUIZWXtD4274rI%252FLHuiGqe9NEwT1jDmo%253D%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3Binstalled%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FA%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%20first)%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BClick%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BAdd%20Rule(s)%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BSelect%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BBlank%20rule%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BFor%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BMatch%20URL%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20section%2C%20enter%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B(.)%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3Binto%20the%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BPattern%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BIn%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BConditions%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20section%2C%20click%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BAdd%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BEnter%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%7BHTTP_HOST%7D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3Binto%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BCondition%20input%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BSelect%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BDoes%20Not%20Match%20the%20Pattern%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20from%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BCheck%20if%20input%20string%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20list%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BEnter%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%5E(%5Ba-zA-Z0-9-_%5D%2B.)domain.com%24%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3Binto%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BPattern%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20field%20(change%20domain%20name%20with%20yours)%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BFor%20the%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BAction%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20section%2C%20select%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BRedirect%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20from%20the%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BAction%20type%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20list%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BEnter%20your%20domain%20address%20(%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdomain.com%252F%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bdata%3D02%257C01%257CNedim.Sahin%2540microsoft.com%257Cd2de40c566894e36236108d76fa20dbd%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637100614111289213%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bsdata%3D4TNx%252FH2R8D8DMTdvc75WVvHB4NVUT7HGdLjI6gmqjwY%253D%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3Bhttps%3A%2F%2Fdomain.com%2F%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FA%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B)%20in%20the%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BRedirect%20URL%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BSelect%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BPermanent%20(301)%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20from%20the%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BRedirect%20type%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%20list%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BClick%20%E2%80%9C%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BApply%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%E2%80%9D%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FLI%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FOL%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3Bspan%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20941px%3B%22%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3Bimg%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158829i533E89660D3BEB6D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bpx%3D999%22%20alt%3D%221.jpg%22%20title%3D%221.jpg%22%20%2F%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2Fspan%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2Flingo-body%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3Blingo-teaser%20id%3D%22lingo-teaser-1031958%22%20slang%3D%22en-US%22%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BBrowsers%20send%20Host%20Header%20to%20inform%20about%20the%20URL%20client%20wants%20to%20visit.%20Attackers%20can%20temper%20Host%20Header%20to%20manipulate%20how%20the%20application%20works.%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSPAN%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2Flingo-teaser%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%3C%2FSCRIPT%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E
Microsoft

Browsers send Host Header to inform about the URL client wants to visit. Attackers can temper Host Header to manipulate how the application works. Here is how this attack occurs:

 

  1. Attacker makes a request with edited Host Header (Example: malicious-site.com)
  2. Web server receives this Host Header (malicious-site.com)
  3. If the application is using this Host Header in a link, the malicious site will be displayed. For example, the application may be calling a JS file with Host Header string. In this case, the website will call an address like the one below which points to attacker’s site:
    <script src="http://malicious-site.com/script.js">

This type of attack can affect password reset forms and X-Forwarded-Host header as well.

 

Solution

Security scan tools may flag Host Header related findings as a vulnerability. Here are the best practices for preventing attackers using Host Header:

  • Do not use Host Header in the code
  • If you have to use it, validate it in every page
  • Use hostnames in all IIS websites
  • Disable support for X-Forwarded-Host

URL Rewrite rules can be used to find malicious host headers:

  1. Click on the site in IIS  Manager
  2. Go to “URL Rewrite” (it should be installed first)
  3. Click “Add Rule(s)
  4. Select “Blank rule
  5. For “Match URL” section, enter (.) into the “Pattern
  6. In “Conditions” section, click “Add
  7. Enter {HTTP_HOST} into “Condition input
  8. Select “Does Not Match the Pattern” from “Check if input string” list
  9. Enter ^([a-zA-Z0-9-_]+.)domain.com$ into “Pattern” field (change domain name with yours)
  10. For the “Action” section, select “Redirect” from the “Action type” list
  11. Enter your domain address (https://domain.com/) in the “Redirect URL
  12. Select “Permanent (301)” from the “Redirect type” list
  13. Click “Apply

1.jpg