Downloaded 24 times
![MSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t good valstr = [ "admin", "services", "webmail", "console", "apps", "mail", "intranet", "intra", "spool", "corporate", "www", "web" ]](https://image.slidesharecdn.com/ccdcg150907010649lva1app6892-160217175724/75/Attacking-thru-HTTP-Host-header-18-2048.jpg)
Uploaded bySergey Belov
Attacking thru HTTP Host header
This document discusses exploiting vulnerabilities related to HTTP host header tampering. It notes that tampering with the host header can lead to issues like password reset poisoning, cache poisoning, and cross-site scripting. It provides examples of how normal host header usage can be tampered with, including by spoofing the header to direct traffic to malicious sites. The document also lists some potential victims of host header attacks, like Drupal, Django and Joomla, and recommends developers check settings to restrict allowed hosts. It proposes methods for bruteforcing subdomains and host headers to find vulnerabilities.
In this document
Powered by AI
Presented by Sergey Belov.
Two main purposes of host header attacks include functioning as a virtual host and proxy balancer.
Tampering can lead to various vulnerabilities like password reset and cache poisoning, intertwining with potential errors.
Steps to perform host header spoofing attacks, which may lead to security breaches, including XSS.
Discusses the technique of bruteforcing host headers during penetration testing and methods employed.
Focuses on how spoofed host headers work through redirects and different browser behaviors.
Exemplifies XSS filter bypass and introduces tools available for checking and generating exploits.
Summary of resources for further reading and invitation for questions regarding the topic.
Attacking thru HTTP Host header
- 1.
- 2. 2 main puproses: Virtual host Proxy balancer GET / HTTP/1.1 Host: www.example.com ...
- 3. Tampering can leakto: Password reset poisoning Cache poisoning Access to internal hosts Cross Site Scripting + filter bypass
- 4. Normal cases: <ahref=“//user/page”>page</a> <a href=“http://example.com/user/page”>page</a>
- 5. Possible results aftertampering: Error Default host / N/A First virtual host (apache / nginx – 000-default.conf) Tampered header in result html GET / HTTP/1.1 Host: www.evil.com ...
- 6. Test case: 1) Goto password reset page 2) Spoof HOST header to attacker.com 3) Use victim’s email & submit
- 7.
- 8.
- 9. Possible victims: • Drupal •Django • Joomla • ...? For developers: • https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS • https://www.drupal.org/node/2221699
- 11. Normal cases: <ahref=“//user/page”>page</a> <a href=http://example.com/user/page>page</a>
- 12. 1) Spoof GET /HTTP/1.1 Host: www.evil.com
- 13. 2) Spoof with2 headers GET / HTTP/1.1 Host: www.example.com Host: www.evil.com
- 14. 3) Spoof withX-Forwarded GET / HTTP/1.1 Host: www.evil.com X-Forwarded-Host: evil.com
- 15. 1,2,3 can leakto perm XSS on server side
- 16. A typical actionwhile penesting – bruteforcing subdomains What about HOST header bruteforcing?
- 17. Let’s tryto bruteforce HOST here!
- 18. MSF - /modules/auxiliary/scanner/http/vhost_scanner.rb– isn’t good valstr = [ "admin", "services", "webmail", "console", "apps", "mail", "intranet", "intra", "spool", "corporate", "www", "web" ]
- 19. example.com Prefixes • beta.example.com • dev.example.com •... Zones • example.test • example.dev • example.beta • ... + different combinations https://github.com/BeLove/avhbf - good :)
- 20. Facts: Originally disclosedby @Black2Fan in 2013 HOST header appears in result HTML Works only in IE
- 21. Our goal – Spoof HOSTheader in request by victim (like a reflected XSS/CSRF)
- 22. Host headerafter redirect Normal case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com
- 23. Host headerafter redirect IE (any version) case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com/login.php
- 24. GET /login.phphp/ HTTP/1.1 Accept:text/html, application/xhtml+xml, */* Accept-Language: pl-PL User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: example.com/login.php DNT: 1 Connection: Keep-Alive Cache-Control: no-cache
- 26. XSS filterbypass (original example) http://blackfan.ru %252F<img%252Fsrc='x'onerror=alert(1)> %252F.%252e%252F.%252e%252F%253F%2523
- 27. Now https://sergeybelove.ru/one-button-scan/ can do thischeck & auto-generate exploits
- 28. http://www.skeletonscribe.net/2013/05/practical-http-host-header- attacks.html https://web.archive.org/web/20131107024350/http://blackfan.ru/ http://www.acunetix.com/blog/articles/automated-detection-of-host- header-attacks/ http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
- 29. Spoof host headerwhile pentesting1!11!!1!!!! Any questions? @sergeybelove