Host Header Attack

PreviousVersion Disclosure NextHttpOnly and Secure Flag

Last updated 5 years ago

Was this helpful?

Host Header Attack

Introduction

It is common practice for the same web server to host several websites or web applications on the same IP address. This why the host header exists. The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application.

How to Test

Steps

Go to the respective site (eg. )
Open Burp suite Community Edition. Here, is the to configuration on your browser.
In burp suite, go to proxy tab and go to HTTP history. Then sent any request to the repeater by right click on the packet.

Change the Host: demo.testfire.net to Host: Attacker.com then the website is goes in attacker.com .

Solutions

PHP

Method 1

This is a simple code to verify the host header. We use $_SERVER['HTTP_HOST'] to declare the host name. In that code, $SERVER['HTTP_HOST'] and required host is same, then proceed to sent the request, if not make the request as error. We have to insert the code in the required php file.

<?php
$host = $_SERVER['HTTP_HOST'];

if($host == "Host_name"){
// make use of $host varaiable for your requiremets
}
else{
echo"invalid access error messages";}
?>

Method 2

In this, we can declared that, what are all the domains will be accessed from the webpage.

$domains = [‘abc.example.com’, ‘foo.bar.com’];
if ( ! in_array($_SERVER[‘SERVER_NAME’], $domains)) {
// error
}

APACHE

Method 1

To mitigate Host Header attacks, we have to create Virtual Host entries in the configuration file. We have to configure in httpd.conf file.

#Configures the virtual host listening for all IPs on PORT 80.
<VirtualHost *:80> 
 ServerName yourdomain.com
 ServerAlias www.yourdomain.com
 DocumentRoot /path/to/your/webroot/directory
</VirtualHost>

Method 2

We can verify the host header by regex pattern. If the regex is not matched, it will redirected to the predefined URL. We can configure in .htaccess or in httpd.conf files.

#It can allow 3rd level subdomain ({0,3}) name and in the length of 1 to 20 ({1,20}). We can change for you convenience.
RewriteEngine On
RewriteCond %{HTTP_HOST} !^([a-zA-Z0-9-_]{1,20}.){0,3}domain.com$ 
RewriteRule ^(.*)$ https://domain.com/ [R=301,L]

ASP.NET

You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:

Go to IIS Manager.
Click on the site.
Double click on “URL Rewrite” (it should be installed).
Click “Add Rule(s)” on the right side.
Select “Blank rule” in Inbound rules. Click “OK”.
Give a name to the rule (eg. Host Header Validation).
.In “Match URL” section, enter (.*) in “Pattern” field.
In “Conditions” section, click “Add”.
Enter {HTTP_HOST} into “Condition input” field.
Select “Does Not Match the Pattern” option from “Check if input string” list
Enter ^([a-zA-Z0-9-_]+.)domain.com$ into “Pattern” field (change domain to your actual domain).
In the “Action” section, select “Abort Request” from the “Action type” list.
Click “Apply” on the right side.

References

PreviousVersion Disclosure NextHttpOnly and Secure Flag

Last updated 5 years ago

Was this helpful?

Introduction

How to Test

Steps

Go to the respective site (eg. )
Open Burp suite Community Edition. Here, is the to configuration on your browser.
In burp suite, go to proxy tab and go to HTTP history. Then sent any request to the repeater by right click on the packet.

Change the Host: demo.testfire.net to Host: Attacker.com then the website is goes in attacker.com .

Solutions

PHP

Method 1

<?php
$host = $_SERVER['HTTP_HOST'];

if($host == "Host_name"){
// make use of $host varaiable for your requiremets
}
else{
echo"invalid access error messages";}
?>

Method 2

In this, we can declared that, what are all the domains will be accessed from the webpage.

$domains = [‘abc.example.com’, ‘foo.bar.com’];
if ( ! in_array($_SERVER[‘SERVER_NAME’], $domains)) {
// error
}

APACHE

Method 1

To mitigate Host Header attacks, we have to create Virtual Host entries in the configuration file. We have to configure in httpd.conf file.

#Configures the virtual host listening for all IPs on PORT 80.
<VirtualHost *:80> 
 ServerName yourdomain.com
 ServerAlias www.yourdomain.com
 DocumentRoot /path/to/your/webroot/directory
</VirtualHost>

Method 2

We can verify the host header by regex pattern. If the regex is not matched, it will redirected to the predefined URL. We can configure in .htaccess or in httpd.conf files.

#It can allow 3rd level subdomain ({0,3}) name and in the length of 1 to 20 ({1,20}). We can change for you convenience.
RewriteEngine On
RewriteCond %{HTTP_HOST} !^([a-zA-Z0-9-_]{1,20}.){0,3}domain.com$ 
RewriteRule ^(.*)$ https://domain.com/ [R=301,L]

ASP.NET

You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:

Go to IIS Manager.
Click on the site.
Double click on “URL Rewrite” (it should be installed).
Click “Add Rule(s)” on the right side.
Select “Blank rule” in Inbound rules. Click “OK”.
Give a name to the rule (eg. Host Header Validation).
.In “Match URL” section, enter (.*) in “Pattern” field.
In “Conditions” section, click “Add”.
Enter {HTTP_HOST} into “Condition input” field.
Select “Does Not Match the Pattern” option from “Check if input string” list
Enter ^([a-zA-Z0-9-_]+.)domain.com$ into “Pattern” field (change domain to your actual domain).
In the “Action” section, select “Abort Request” from the “Action type” list.
Click “Apply” on the right side.