The HTTP Host
header is a mandatory header for HTTP requests and specifies the domain name which the client wants to access. This is especially handy with virtual hosting because a single IP address may provide different services on different domains and the server needs to know which page to return to the client. For example, the same machine may serve a blog website at blog.example.com
and a git repository at dev.example.com
.
In order to specify which of the two services the client wants to access, they must specify either the header Host: blog.example.com
or dev.example.com
, respectively, in their request.
A host header injection vulnerability arises when the target application unsafely uses the contents of the Host
header, typically in order to construct an absolute URL.
This technique involves using Host Header Injection in order to force a vulnerable application to generate a password reset link which points to a malicious domain. This may be leveraged to steal the secret tokens required to reset the passwords of arbitrary users and consequently compromise their accounts.
Typically applications implement password resetting as follows.
example.com/reset?token=abcdefghijklmnopqrstuvwxyz
If the Host
header of the request for a password reset is used in generating the password reset URL, an adversary may leverage it in order to steal the token for an arbitrary user. For example, an adversary could submit a password reset request for a user, e.g. carlos
, intercept the request and modify the Host
header to point to a domain controlled by them: Host: exploit-server.com
.
When the server generates the password reset URL, it will resemble the following, http://exploit-server.com/reset?token=abcdefghijklmnopqrstuvwxyz
. If the victim clicks on the link, their token will be handed over to the attacker by means of the exploit-server.com
domain which receives the password reset request.
This type of attack, however, does not always require user interaction because emails are typically scanned be it to determine if they are spam or if they contain a virus and the scanners will oftentimes open the links themselves, all automatically, thus giving the attacker the token to reset the password.
Host:
header.Host
header is inevitable, ensure that it is validated against a whitelist of permitted domains. Different frameworks may provide different methods for achieving this.X-Forward-Host
header.Host
header.