1

We have an API server hosted with amazon elb. The server has only one virtual host and hence it doesn't enforce Host header. But if we manually add a Host header along with the request with a valid host name, the server returns a success.

Is there any possibilities by which this can be exploited in general? Is it usually recommended to use a Host header with every request?

Improve this question
2
  • Even if the server is fine without it, a host header is mandatory in HTTP - so why not just adhere to the specification and send one? (Also, are you only asking from the perspective of the client or also about risks of not verifying a host header on the server side?) Commented May 15, 2017 at 9:57
  • @Arminius There is no code level checks implemented for Host header. I was wondering whether any host header inclusion/injection attacks work in this case. Commented May 16, 2017 at 9:14

1 Answer 1

Reset to default
2

I would say this is not a vulnerability in itself, but enables the exploitation of other vulnerabilities.

Recently an attack was published for Wordpress that depended on the site being available independent of the value of the Host header.

  • Attacker requests a password reset with Host header set to attacker-controlled domain: Host: attacker.com.
  • Wordpress sends a password reset token to the email address of the user, with the sender set to [email protected].
  • If this email bounces or is replied to, the attacker receives the token on [email protected].

Edit: a DNS rebinding attack also only works if the web site ignores the host header. It works like this:

  • A user visits attacker.com.
  • The attacker changes the DNS entry for attacker.com to point to your amazon elb server.
  • The page on attacker.com does a HTTP request using Javascript to attacker.com. This is permitted according to the same-origin policy, but since the DNS has changed it is actually a cross origin request.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.