This post explains HTTP host header poisoning , and the consequences of exploit like cache poisoning and stealing password-reset tokens .
Hello again ,
This time we are going to explain in details an old limited vulnerability , Injecting host header.
Since you can not force a browser to issue an HTTP request that has injected host header , so this vulnerability can not exploited directly against users , Internet explorer only the vulnerable browser that can issue an injected host header when it get redirected this was discovered by sergey bobrov and microsoft did not fix it quickly , this bug is fixed on windows Ten , Windows 7 still vulnerable.
The impact of injecting host header
– Cache poisoning
– Password-Reset links hijacking.
First let’s explain the cache poisoning.
What is cache? let’s assume that you browsed a newspaper or magazine and this website allows you to choose multiple options to customize your feeds , so you will choose your country ,area favorite aspect .. etc , then the web application takes your input , searches the back-end and displays the result to you , this process might take some time , so they invented caching to give you the last result instead of repeating the previous process.
Now what if you can alter this result , this means that may another user request the same resource and so the Cache server responds with your malicious result , this can lead to other consequences like defacement or phishing and so.
Second hijacking password reset links or codes.
When you forget your facebook , and you request a new one facebook will email you with a link contains a 6 digits code as the following
This what happens on front-end . What about the back end.
First facebook generates random code , then construct a url , and sends it to you.
Look at the code , some functions does not exist , only on my mind , the code is not the matter , but our main point here is how the web application gets the host before constructing the link . let’s talk about another website , facebook is not vulnerable to this issue , let’s suppose mysocial.com is vulnerable to host header injection so he takes your host and print it .
In php , some developers trust user host , they think it can not be edited so :
This value is controlled by an attacker.
Now the web application thinks that the user forgot his password , and they should send them a link to reset it the code will be as :
Did you noticed
in PHP this value is set by end user , [SERVER_NAME is not] , so now what if an attacker set this value to evil.com , the final link that will be sent to the real user becomes as :
This link now will be sent to the real user.
Then the attacker which owns evil.net will create a new directory on his website named as account , inside this directory he will create a new file named reset.php this file will contains the follwoing code
What is ? it is a real phishing attack performed with help from the web application itself ,The real user will check his inbox and find the malicious link and press on it , the code will be sent to the attacker website and it will be stored thanks to reset.php file , the attacker now takes the real code or hash and reset the password for the victim user , assuming that the victim will think the link is broken after clicking and it is not a phishing.
Now we explained what is Host Injections.
How to detect it , it is like normal xss , you have to inject something and see if it is reflected or not .
Using your curl on your unix machine , this command is fair enough to detect host injection.
Curl -H ‘Host: evil.com’ http://targetwebsite.com/ -i
For windows users you can use burp repeater but you need to write the request , or use our pretty tool Host injector it has some auto-generated payloads to bypass some filters .