Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HTTP HOST header attacks

12,514 views

Published on

Sergey Belov - HTTP HOST header attacks

Published in: Science
  • Be the first to comment

HTTP HOST header attacks

  1. 1. Sergey Belov @sergeybelove
  2. 2. 2 main puproses:  Virtual host  Proxy balancer GET / HTTP/1.1 Host: www.example.com ...
  3. 3. Tampering can leak to:  Password reset poisoning  Cache poisoning  Access to internal hosts  Cross Site Scripting + filter bypass
  4. 4. Normal cases:  <a href=“//user/page”>page</a>  <a href=“http://example.com/user/page”>page</a>
  5. 5. Possible results after tampering:  Error  Default host / N/A  First virtual host (apache / nginx – 000-default.conf)  Tampered header in result html GET / HTTP/1.1 Host: www.evil.com ...
  6. 6. Test case: 1) Go to password reset page 2) Spoof HOST header to attacker.com 3) Use victim’s email & submit
  7. 7. http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
  8. 8. http://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
  9. 9. Possible victims: • Drupal • Django • Joomla • ...? For developers: • https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS • https://www.drupal.org/node/2221699
  10. 10. Normal cases:  <a href=“//user/page”>page</a>  <a href=http://example.com/user/page>page</a>
  11. 11. 1) Spoof GET / HTTP/1.1 Host: www.evil.com
  12. 12. 2) Spoof with 2 headers GET / HTTP/1.1 Host: www.example.com Host: www.evil.com
  13. 13. 3) Spoof with X-Forwarded GET / HTTP/1.1 Host: www.evil.com X-Forwarded-Host: evil.com
  14. 14. 1,2,3 can leak to perm XSS on server side
  15. 15. A typical action while penesting – bruteforcing subdomains What about HOST header bruteforcing?
  16. 16.  Let’s try to bruteforce HOST here!
  17. 17. MSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t good valstr = [ "admin", "services", "webmail", "console", "apps", "mail", "intranet", "intra", "spool", "corporate", "www", "web" ]
  18. 18. example.com Prefixes • beta.example.com • dev.example.com • ... Zones • example.test • example.dev • example.beta • ... + different combinations https://github.com/BeLove/avhbf - good :)
  19. 19. Facts:  Originally disclosed by @Black2Fan in 2013  HOST header appears in result HTML  Works only in IE
  20. 20. Our goal – Spoof HOST header in request by victim (like a reflected XSS/CSRF)
  21. 21.  Host header after redirect  Normal case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com
  22. 22.  Host header after redirect  IE (any version) case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com/login.php
  23. 23. GET /login.phphp/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: pl-PL User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: example.com/login.php DNT: 1 Connection: Keep-Alive Cache-Control: no-cache
  24. 24.  XSS filter bypass (original example) http://blackfan.ru %252F<img%252Fsrc='x'onerror=alert(1)> %252F.%252e%252F.%252e%252F%253F%2523
  25. 25. Now https://sergeybelove.ru/one-button-scan/ can do this check & auto-generate exploits
  26. 26.  http://www.skeletonscribe.net/2013/05/practical-http-host-header- attacks.html  https://web.archive.org/web/20131107024350/http://blackfan.ru/  http://www.acunetix.com/blog/articles/automated-detection-of-host- header-attacks/  http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
  27. 27. Spoof host header while pentesting1!11!!1!!!! Any questions? @sergeybelove

×