Skip to content

HTTP Host Header Poisoning

HTTP Host Header Poisoning

Description

The HTTP Host specifies the domain name the HTTP Client would like to access. It is mandatory as part of the HTTP/1.1 standard.

For instance, to access the domain www.ostorlab.co, the HTTP client would send the following request with the Host header:

http request GET / HTTP/1.1 Host: www.ostorlab.co

The Host header is important to enabling routing traffic to virtual hosts.

Applications that handle the Host header insecurely are vulnerable to multiple classes of vulnerabilities, like:

  • Server-side request forgery
  • Web Cache poisoning
  • Insecure redirects

Host header poisoning can materialize in different ways:

  • Arbitrary Host header reflection
  • Duplicate Host headers injection
  • Absolute URL injection and ignoring the Host header value
  • Header injection by adding a line wrapper
  • Injection of common Host override-headers, like X-Host, X-Forwarded-Server, X-HTTP-Host-Override

Recommendation

Protection against Host header attacks will require multiple checks that depend on the application target architecture, like support for a virtual host, use of a reverse proxy, and presence in certain cloud environments, the support extra routing headers.

The recommendations to protect against these attacks are:

  • Avoid using the Host header value in application logic.
  • Implement a whitelist check of accepted values; most web frameworks commonly support this.
  • Disable host override headers; this depends on the intermediary components deployed in your architecture. Common places to check are reverse-proxies and Kubernetes ingress controllers.

Standards

  • PCI_STANDARDS:
    • REQ_6_2
    • REQ_6_3
    • REQ_6_4
    • REQ_11_3