Skip to main content
Information Security

Return to Question

Remove unused header from PoC
Source Link
Jorge Martínez
Jorge Martínez
  • 1
  • 1

I have an Nginx reverse proxy that connects to different servers in the back-end according to the SNI. Recently it was pointed to me that if I add a header X-Forwarded-Host to something like https://evildomain.com would result in a redirect. Something like this:

curl -X GET "https://my.domain.com" -H "X-Forwarded-For: google.com" -H "X-Forwarded-Host: evildomain.com"

And indeed, the result is a 302 Redirect:

<html><body>You are being <a href="https://evildomain.com/users/sign_in">redirected</a>.</body></html>

So, indeed, this is a misconfiguration. My question is how would an attacker exploit this?

  • If all connections are managed via HTTPS, a proxy wouldn't be able to inject headers (unless the client is connecting to the proxy via HTTP, in which case his/her problems are bigger).
  • A phishing email shouldn't be able to inject headers on a link (unless I'm allowing JS in email, in which case I have more serious issues)

The only scenario I can think of is if I'm already in an evil website and get a link to https://my.domain.com. On the call the attacker would add the headers, and the client would eventually be redirected. Is this the only scenario? How bad is it really?

I have an Nginx reverse proxy that connects to different servers in the back-end according to the SNI. Recently it was pointed to me that if I add a header X-Forwarded-Host to something like https://evildomain.com would result in a redirect. Something like this:

curl -X GET "https://my.domain.com" -H "X-Forwarded-For: google.com" -H "X-Forwarded-Host: evildomain.com"

And indeed, the result is a 302 Redirect:

<html><body>You are being <a href="https://evildomain.com/users/sign_in">redirected</a>.</body></html>

So, indeed, this is a misconfiguration. My question is how would an attacker exploit this?

  • If all connections are managed via HTTPS, a proxy wouldn't be able to inject headers (unless the client is connecting to the proxy via HTTP, in which case his/her problems are bigger).
  • A phishing email shouldn't be able to inject headers on a link (unless I'm allowing JS in email, in which case I have more serious issues)

The only scenario I can think of is if I'm already in an evil website and get a link to https://my.domain.com. On the call the attacker would add the headers, and the client would eventually be redirected. Is this the only scenario? How bad is it really?

I have an Nginx reverse proxy that connects to different servers in the back-end according to the SNI. Recently it was pointed to me that if I add a header X-Forwarded-Host to something like https://evildomain.com would result in a redirect. Something like this:

curl -X GET "https://my.domain.com" -H "X-Forwarded-Host: evildomain.com"

And indeed, the result is a 302 Redirect:

<html><body>You are being <a href="https://evildomain.com/users/sign_in">redirected</a>.</body></html>

So, indeed, this is a misconfiguration. My question is how would an attacker exploit this?

  • If all connections are managed via HTTPS, a proxy wouldn't be able to inject headers (unless the client is connecting to the proxy via HTTP, in which case his/her problems are bigger).
  • A phishing email shouldn't be able to inject headers on a link (unless I'm allowing JS in email, in which case I have more serious issues)

The only scenario I can think of is if I'm already in an evil website and get a link to https://my.domain.com. On the call the attacker would add the headers, and the client would eventually be redirected. Is this the only scenario? How bad is it really?

Source Link
Jorge Martínez
Jorge Martínez
  • 1
  • 1

How exploitable is a redirect caused by sending a malicious X-Forwarded-Host header?

I have an Nginx reverse proxy that connects to different servers in the back-end according to the SNI. Recently it was pointed to me that if I add a header X-Forwarded-Host to something like https://evildomain.com would result in a redirect. Something like this:

curl -X GET "https://my.domain.com" -H "X-Forwarded-For: google.com" -H "X-Forwarded-Host: evildomain.com"

And indeed, the result is a 302 Redirect:

<html><body>You are being <a href="https://evildomain.com/users/sign_in">redirected</a>.</body></html>

So, indeed, this is a misconfiguration. My question is how would an attacker exploit this?

  • If all connections are managed via HTTPS, a proxy wouldn't be able to inject headers (unless the client is connecting to the proxy via HTTP, in which case his/her problems are bigger).
  • A phishing email shouldn't be able to inject headers on a link (unless I'm allowing JS in email, in which case I have more serious issues)

The only scenario I can think of is if I'm already in an evil website and get a link to https://my.domain.com. On the call the attacker would add the headers, and the client would eventually be redirected. Is this the only scenario? How bad is it really?