October 8, 2013

Tamper the "Host" header

If you read this post, I suppose that you did some web pentests or have knowledge in web development.

The "Host" header
The HTTP RFC explains what is the "Host" header:
The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource (generally an HTTP URL). The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL. This allows the origin server or gateway to differentiate between internally-ambiguous URLs, such as the root "/" URL of a server for multiple host names on a single IP address.
This header can be used in the following scenarios:

  1. Reverse proxy server that replaces uses the header for back-end requests.
  2. Sometimes websites use this value to build new URLs from it, e.g. activation email, links in HTML pages (including error pages).


Tamper it!
Let's do simple tampering and see what kinds of responds do we get. Before doing that, I created a php page that contains the following content in order to illustrate the inputs and outputs. The following php code runs on the server:
If we send a not-tampered request to this page, we should get the following result:

We can see that she server prints the host header. The REAL question is what happens when this header is tampered? See the result below:
In this example I used the well-known XSS locator in the "Host" header. As you can see, the request is sent to the server that defined in the "Target" in the top right corner.

Conclusion
We learned that if the server uses the "Host" header, it can affect on many variables in the message that sent back to the browser/email. I suggest to log for it in customized error pages as well...
In addition, the demo above contains very simple code in php, but it is not limited to specific technology, thus it can be done on most of the web servers.