Index

HTTP Host Header Poisoning

Description

The HTTP Host specifies the domain name the HTTP Client would like to access. It is mandatory as part of the HTTP/1.1 standard.

For instance, to access the domain www.ostorlab.co, the HTTP client would send the following request with the Host header:

http request GET / HTTP/1.1 Host: www.ostorlab.co

The Host header is important to enabling routing traffic to virtual hosts.

Applications that handle the Host header insecurely are vulnerable to multiple classes of vulnerabilities, like:

Server-side request forgery
Web Cache poisoning
Insecure redirects

Host header poisoning can materialize in different ways:

Arbitrary Host header reflection
Duplicate Host headers injection
Absolute URL injection and ignoring the Host header value
Header injection by adding a line wrapper
Injection of common Host override-headers, like X-Host, X-Forwarded-Server, X-HTTP-Host-Override

Recommendation

Protection against Host header attacks will require multiple checks that depend on the application target architecture, like support for a virtual host, use of a reverse proxy, and presence in certain cloud environments, the support extra routing headers.

The recommendations to protect against these attacks are:

Avoid using the Host header value in application logic.
Implement a whitelist check of accepted values; most web frameworks commonly support this.
Disable host override headers; this depends on the intermediary components deployed in your architecture. Common places to check are reverse-proxies and Kubernetes ingress controllers.

Links

Testing for Host Header Injection (OWASP Web Security Testing Guide)

Standards

PCI_STANDARDS:
- REQ_6_2
- REQ_6_3
- REQ_6_4
- REQ_11_3
HIPAA_CONTROLS:
- SECURITY221
- SECURITY212
- SECURITY213