attacking thru http host header
TRANSCRIPT
HTTP HOST header attacks
Sergey Belov@sergeybelove
HOST header
2 main puproses: Virtual host Proxy balancer
GET / HTTP/1.1Host: www.example.com...
HOST header attacks
Tampering can leak to: Password reset poisoning Cache poisoning Access to internal hosts Cross Site Scripting + filter bypass
Password reset poisoning
Normal cases: <a href=“//user/page”>page</a> <a href=“http://example.com/user/page
”>page</a>
Password reset poisoning
Possible results after tampering: Error Default host / N/A First virtual host (apache / nginx – 000-
default.conf) Tampered header in result htmlGET / HTTP/1.1Host: www.evil.com...
Password reset poisoning
Test case:1) Go to password reset page2) Spoof HOST header to attacker.com3) Use victim’s email & submit
Password reset poisoning
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
Password reset poisoning
http://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
Password reset poisoning
Possible victims:• Drupal• Django• Joomla• ...?
For developers:• https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS
• https://www.drupal.org/node/2221699
Cache poisoning
Cache poisoning
Normal cases: <a href=“//user/page”>page</a> <a href=http://example.com/user/page
>page</a>
Cache poisoning
2) Spoof with 2 headers
GET / HTTP/1.1Host: www.example.comHost: www.evil.com
Cache poisoning
3) Spoof with X-Forwarded
GET / HTTP/1.1Host: www.evil.comX-Forwarded-Host: evil.com
Cache poisoning
1,2,3 can leak to perm XSS on server side
Access to internal hosts
A typical action while penesting – bruteforcing subdomainsWhat about HOST header bruteforcing?
Access to internal hosts
Let’s try to bruteforce HOST here!
Access to internal hostsMSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t
goodvalstr = [ "admin", "services", "webmail", "console", "apps", "mail", "intranet", "intra", "spool", "corporate", "www", "web" ]
Access to internal hosts
example.comPrefixes• beta.example.com• dev.example.com• ...
Zones• example.test• example.dev• example.beta• ...
+ different combinations
https://github.com/BeLove/avhbf - good :)
Cross Site Scripting
Facts: Originally disclosed by @Black2Fan in
2013 HOST header appears in result HTML Works only in IE
Cross Site Scripting
Our goal –
Spoof HOST header in request by victim (like a reflected
XSS/CSRF)
Cross Site Scripting
Host header after redirect Normal caseResponse:...Location: http://example.com%2flogin.php
Request:...Host: example.com
Cross Site Scripting
Host header after redirect IE (any version) caseResponse:...Location: http://example.com%2flogin.php
Request:...Host: example.com/login.php
Cross Site Scripting
GET /login.phphp/ HTTP/1.1Accept: text/html, application/xhtml+xml, */*
Accept-Language: pl-PLUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflateHost: example.com/login.phpDNT: 1Connection: Keep-AliveCache-Control: no-cache
Cross Site Scripting
Cross Site Scripting
XSS filter bypass (original example)
http://blackfan.ru%252F<img%252Fsrc='x'onerror=alert(1)>
%252F.%252e%252F.%252e%252F%253F%2523
Cross Site Scripting
Nowhttps://sergeybelove.ru/one-button-scan/
can do this check & auto-generate exploits
Links http://www.skeletonscribe.net/2013/05/practical-http-host-head
er-attacks.html https://web.archive.org/web/20131107024350/http://blackfan.ru/ http://www.acunetix.com/blog/articles/automated-detection-of-h
ost-header-attacks/ http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.ht
ml
Finish
Spoof host header while pentesting1!11!!1!!!!
Any questions?
@sergeybelove