Host Header Attack

Introduction

It is common practice for the same web server to host several websites or web applications on the same IP address. This why the host header exists. The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application.

How to Test

Steps

  • Go to the respective site (eg. https://demo.testfire.net/)

  • Open Burp suite Community Edition. Here, is the Blog to configuration on your browser.

  • In burp suite, go to proxy tab and go to HTTP history. Then sent any request to the repeater by right click on the packet.

Sent packets to Repeater

  • Change the Host: demo.testfire.net to Host: Attacker.com then the website is goes in attacker.com .

Before changing host header
After changing the host header

Solutions

PHP

Method 1

This is a simple code to verify the host header. We use $_SERVER['HTTP_HOST'] to declare the host name. In that code, $SERVER['HTTP_HOST'] and required host is same, then proceed to sent the request, if not make the request as error. We have to insert the code in the required php file. 

<?php
$host = $_SERVER['HTTP_HOST'];

if($host == "Host_name"){
// make use of $host varaiable for your requiremets
}
else{
echo"invalid access error messages";}
?>

Method 2

In this, we can declared that, what are all the domains will be accessed from the webpage.

$domains = [‘abc.example.com’, ‘foo.bar.com’];
if ( ! in_array($_SERVER[‘SERVER_NAME’], $domains)) {
// error
}

APACHE

Method 1

To mitigate Host Header attacks, we have to create Virtual Host entries in the configuration file. We have to configure in httpd.conf file.

#Configures the virtual host listening for all IPs on PORT 80.
<VirtualHost *:80> 
 ServerName yourdomain.com
 ServerAlias www.yourdomain.com
 DocumentRoot /path/to/your/webroot/directory
</VirtualHost>

Method 2

We can verify the host header by regex pattern. If the regex is not matched, it will redirected to the predefined URL. We can configure in .htaccess or in httpd.conf files.

#It can allow 3rd level subdomain ({0,3}) name and in the length of 1 to 20 ({1,20}). We can change for you convenience.
RewriteEngine On
RewriteCond %{HTTP_HOST} !^([a-zA-Z0-9-_]{1,20}.){0,3}domain.com$ 
RewriteRule ^(.*)$ https://domain.com/ [R=301,L]

ASP.NET

You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:

  1. Go to IIS Manager.

  2. Click on the site.

  3. Double click on “URL Rewrite” (it should be installed).

  4. Click “Add Rule(s)” on the right side.

  5. Select “Blank rule” in Inbound rules. Click “OK”.

  6. Give a name to the rule (eg. Host Header Validation).

  7. .In “Match URL” section, enter (.*) in “Pattern” field.

  8. In “Conditions” section, click “Add”.

  9. Enter {HTTP_HOST} into “Condition input” field.

  10. Select “Does Not Match the Pattern” option from “Check if input string” list

  11. Enter ^([a-zA-Z0-9-_]+.)domain.com$ into “Pattern” field (change domain to your actual domain).

  12. In the “Action” section, select “Abort Request” from the “Action type” list.

  13. Click “Apply” on the right side.

References

  1. https://www.yeahhub.com/host-header-attack-practical-exploitation-and-prevention/

  2. https://niiconsulting.com/checkmate/2018/10/manipulating-host-headers-not-anymore/

  3. https://port135.com/2019/10/15/host-header-attack-and-vulnerability/

PreviousVersion DisclosureNextHttpOnly and Secure Flag

Last updated

Was this helpful?