Image for post
Image for post

Exploiting Host-Header Injection

For account takeover:

Host-Header:

Nowadays a single web-server is used to deploy more than one application. It means all application resolves the same IP-address. So to avoid confusion. a host header is used because the host header specifies which request has to move which application.

Host header attack is very common in cloud infrastructure and many application takes help from host header to understand where they are.

How to bypass:

· By providing any random domain in host header. If in response, we get 200 Ok.

· By providing same domain but with random port in host header, if still we get 200 Ok in response.

Image for post
Image for post

· X-Forwarded-Host: By using it we overwriting Host header value.

· By injecting same Host Header twice

· By supplying an absolute URL: Generally, web servers work on relative path but sometimes application accept absolute path host header.

What vulnerability we can exploit by changing host header:

· Web cache Poisoning: Attacker poisons web-cache of the website so anyone who visits the cached page gets infected

· Password Reset Poisoning: Application usually generate a secret token by using host header functionality. To create the password reset link they use domains mentioned in the host header and append it with the password reset token.

For example if the value of host header is google.com then the password reset link will look like this google.com/password-reset-token.

Attacker can use a malicious domain which attacker controls to generate a token using the email/username of the legit user. The legit user will receive the link in which attacker domain was appended with the password reset token. If legit user click on password reset link, the attacker will get the password reset token as the request is sent to a server which attacker controls and using it attacker can change legit user password.

Working:

Image for post
Image for post

· Attacker browses any application that is vulnerable to Host header injection.

· Attacker modify host header uses and passes his controllable domain in the header to the request that generates the password reset link.

· Now website uses the domain in the host header to generate the password reset link(host header value is used as the domain in the password reset link) which is sent to victim via email.

· User clicks on the link and since attacker controllable domain is appended to it attacker gets the response on his server.

· Attacker extracts the reset token from the request which he got on the server and uses that token to take over the user account.

Image for post
Image for post

Exploitation:

Here attacker uses password reset poisoning to take a control of legit user account. Some application directly uses Host header in the password reset link.

Go to the password reset of the website and enter any valid username in the field intercept the request using any intercepting proxy.

Image for post
Image for post

Intercepted request:

Image for post
Image for post

Attacker changes the Host header, and passes the address of his domain or that domain where he is logging all the requests sent to it.

Image for post
Image for post

After forwarding, the request in we got 200 ok in the response.

Users unknowingly clicks on the link thinking that it has been generated from the legit website.

Attacker check domain logs where all the requests sent to the server is getting logged. He checks he as a request with the password reset token.

Image for post
Image for post

Now to use “temp-forgot-password-token” of legit user. On the website to change the password of the legit user and he can takeover the account using this.

Check generated token of attacker shown below:

Image for post
Image for post

Open this link in the browser and the intercepted request look like shown below:

Image for post
Image for post

In above-intercepted request, the attacker replaces his token value with legit user token and forward the request. After forwarding the request, attacker was able to change the credentials of the legit user.

Image for post
Image for post

Using new credentials, attacker can log in into a legit user account.

Remediation

· Validate host header before use do not trust host header blindly do not rely on Host header completely.

· Whitelist allowed host header hostnames.

· By checking invalid input injection in Host header.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store