Host Header Injection

Description

Overview

A web server may host multiple web applications on the same IP address, referring to each application via a virtual host. In an HTTP request, web servers send the request to the correct virtual host based on the value in the Host header.

However, without proper validation implemented, an attacker could alter a reflected Host header to pollute the application’s cache, or to cause the application to redirect a user’s requests to an attacker-controlled resource.

1. 1. References

[Acunetix's Page on Host Header Attack](https://www.acunetix.com/vulnerabilities/web/host-header-attack/)
[OWASP's Page on Testing for Host Header Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection)
[Portswigger](https://portswigger.net/web-security/host-header)

During analysis, it was observed that the host `pentest24.eastus.cloudapp.azure.com` is vulnerable to *Host Header Injection* leading to redirection.

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/

Steps To Reproduce

*Step 1*: Intercept the above mentioned *URL* in *Burp Suite* and send it to the *Repeater Tab*.

*Step 2*: Change `Host:` header value with an arbitrary domain send the request. Observe that the application is being redirected to another location in the response.

![host_header_injection_1.png](https://api.us.cobalt.io/v1/attachments/att_XgjwQiU/preview)

*Step 3*: Now change the `Host:` header to a different domain (For example: `cobalt.io`) and it is observed that the application redirects to manipulated domain in response.

![host_header_injection_2.png](https://api.us.cobalt.io/v1/attachments/att_Wns9ZDq/preview)

Severity

low

The issue is not directly exploitable and can be chained with other vulnerabilities. A successful host header injection could result in web cache poisoning, password reset poisoning, access to internal hosts, cross-site scripting (XSS), bypassing authentication, virtual host brute-forcing, etc.

Suggested Fix

Configure the application to not trust the Host header value for further functionality. If this is not possible, then implement a whitelist of trusted domains that can be used in the Host header.

Prerequisites

HTTP Request

GET /opennms/ HTTP/1.1

Host: cobalt.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

Cobalt URL

#PT22584_3

Acceptance / Success Criteria

None

Attachments

Activity

Show:

Christian Pape July 16, 2024 at 5:42 AM

Merged.

Christian Pape July 11, 2024 at 12:37 PM

Normally this Host Header injection can be avoided by specifying the property opennms.web.base-url. Unfortunately, this doesn’t seem to work before login for the given page. I altered the code to also use the Util.calculateUrlBase()-method to construct the urls at this point.

Please review:
* PR: https://github.com/OpenNMS/opennms/pull/7358