HTTP HOST header attacks
Download as PPTX, PDF6 likes21,519 views
The document discusses vulnerabilities related to HTTP host header attacks, including methods for exploiting these weaknesses through packet tampering and spoofing. It outlines various cases and potential outcomes of these attacks, along with examples of affected platforms and links for further reading. The author emphasizes the significance of proper header validation to prevent such security issues in web applications.
![MSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t good
valstr = [
"admin",
"services",
"webmail",
"console",
"apps",
"mail",
"intranet",
"intra",
"spool",
"corporate",
"www",
"web"
]](https://image.slidesharecdn.com/ccdcg-150907010649-lva1-app6892/85/HTTP-HOST-header-attacks-18-320.jpg)
More Related Content
![[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://cdn.slidesharecdn.com/ss_thumbnails/presentationdefconrussia-160406215741-thumbnail.jpg?width=560&fit=bounds)
![[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux](https://cdn.slidesharecdn.com/ss_thumbnails/revealingrootkitsv5-170328122611-thumbnail.jpg?width=560&fit=bounds)
![[Defcon Russia #29] Алексей Тюрин - Spring autobinding](https://cdn.slidesharecdn.com/ss_thumbnails/springautobinding-170328123002-thumbnail.jpg?width=560&fit=bounds)
![[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...](https://cdn.slidesharecdn.com/ss_thumbnails/intelbgpart2-170328124242-thumbnail.jpg?width=560&fit=bounds)
![[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...](https://cdn.slidesharecdn.com/ss_thumbnails/preza-170328124723-thumbnail.jpg?width=560&fit=bounds)
Similar to HTTP HOST header attacks (20)
HTTP HOST header attacks
- 2. 2 main puproses: Virtual host Proxy balancer GET / HTTP/1.1 Host: www.example.com ...
- 3. Tampering can leak to: Password reset poisoning Cache poisoning Access to internal hosts Cross Site Scripting + filter bypass
- 4. Normal cases: <a href=“//user/page”>page</a> <a href=“http://example.com/user/page”>page</a>
- 5. Possible results after tampering: Error Default host / N/A First virtual host (apache / nginx – 000-default.conf) Tampered header in result html GET / HTTP/1.1 Host: www.evil.com ...
- 6. Test case: 1) Go to password reset page 2) Spoof HOST header to attacker.com 3) Use victim’s email & submit
- 9. Possible victims: • Drupal • Django • Joomla • ...? For developers: • https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS • https://www.drupal.org/node/2221699
- 11. Normal cases: <a href=“//user/page”>page</a> <a href=http://example.com/user/page>page</a>
- 12. 1) Spoof GET / HTTP/1.1 Host: www.evil.com
- 13. 2) Spoof with 2 headers GET / HTTP/1.1 Host: www.example.com Host: www.evil.com
- 14. 3) Spoof with X-Forwarded GET / HTTP/1.1 Host: www.evil.com X-Forwarded-Host: evil.com
- 15. 1,2,3 can leak to perm XSS on server side
- 16. A typical action while penesting – bruteforcing subdomains What about HOST header bruteforcing?
- 17. Let’s try to bruteforce HOST here!
- 18. MSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t good valstr = [ "admin", "services", "webmail", "console", "apps", "mail", "intranet", "intra", "spool", "corporate", "www", "web" ]
- 19. example.com Prefixes • beta.example.com • dev.example.com • ... Zones • example.test • example.dev • example.beta • ... + different combinations https://github.com/BeLove/avhbf - good :)
- 20. Facts: Originally disclosed by @Black2Fan in 2013 HOST header appears in result HTML Works only in IE
- 21. Our goal – Spoof HOST header in request by victim (like a reflected XSS/CSRF)
- 22. Host header after redirect Normal case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com
- 23. Host header after redirect IE (any version) case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com/login.php
- 24. GET /login.phphp/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: pl-PL User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: example.com/login.php DNT: 1 Connection: Keep-Alive Cache-Control: no-cache
- 26. XSS filter bypass (original example) http://blackfan.ru %252F<img%252Fsrc='x'onerror=alert(1)> %252F.%252e%252F.%252e%252F%253F%2523
- 27. Now https://sergeybelove.ru/one-button-scan/ can do this check & auto-generate exploits
- 28. http://www.skeletonscribe.net/2013/05/practical-http-host-header- attacks.html https://web.archive.org/web/20131107024350/http://blackfan.ru/ http://www.acunetix.com/blog/articles/automated-detection-of-host- header-attacks/ http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
- 29. Spoof host header while pentesting1!11!!1!!!! Any questions? @sergeybelove