Skip to main content

Solution for Host Header Attack and Vulnerability

When a user tries to access a website, the browser sends Host Header to inform which address the user wants to visit. Just like other headers, attackers can temper Host Header to manipulate how the application works. In this post, I will explain a way to prevent this kind of a Host Header attack.

Scenario

In a nutshell, here is how this attack occurs:

New post-apocalyptic fiction book
My new book is releasing in November 2020!
  1. Attacker changes Host Header (Example: malicious-site.com)
  2. Attacker makes a request to visit this site
  3. The web server receives this Host Header (malicious-site.com)
  4. If the application is using this Host Header to build a link, the attacker’s site will appear in this link. For example, the application may call a JavaScript file with Host Header string in the URL. In this case, the website will call an address such as:
    <script src="http://malicious-site.com/script.js">
  5. Since the website called attacker’s JavaScript, the attacker can do plenty of “bad things”

This type of attack can affect password reset forms and X-Forwarded-Host header as well. For more information about Host Header Attack, visit Reference 1, Reference 2, Reference 3, and Reference 4.

Host Header Vulnerability

Your security scan tool may flag Host Header related findings as a vulnerability. In my case, I had this report from the Cisco vulnerability scan:

Cisco observed that the application is not validating the host header on the following endpoints:

https://domain.com/folder1/page1.aspx
https://domain.com/folder2/page2.aspx

In the absence of host header validation, certain implementations can lead to cache poisoning attacks, allowing attackers to potentially compromise sensitive data. Please also refer to the “Insufficient Cache Control Headers” finding

Have you received a warning about usage of HTTP TRACK or TRACE headers in your web server? Check this post out for more information: How to disable HTTP TRACK and TRACE verbs in IIS?

How to Prevent Host Header Attacks?

There are a couple of best practices for preventing attackers using Host Header to manipulate your application:

  • Do not use Host Header in your application code
  • If you have to use it, validate it in every page
  • Make sure all of your IIS websites have a hostname
  • Disable support for X-Forwarded-Host header

How to Fix Host Header Vulnerability?

You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:

  1. Go to IIS Manager
  2. Click on the site
  3. Double click on “URL Rewrite” (it should be installed)
  4. Click “Add Rule(s)” on the right side
  5. Select “Blank rule”. Click “OK
  6. Give a name to the rule
  7. In “Match URL” section, enter (.) in “Pattern” field
  8. In “Conditions” section, click “Add
  9. Enter {HTTP_HOST} into “Condition input” field
  10. Select “Does Not Match the Pattern” option from “Check if input string” list
  11. Enter ^([a-zA-Z0-9-_]+.)domain.com$ into “Pattern” field (change domain to your actual domain)
  12. In the “Action” section, select “Redirect” from the “Action type” list
  13. Enter your domain address (https://domain.com/) in the “Redirect URL” field
  14. Select “Permanent (301)” from the “Redirect type” list
  15. Click “Apply” on the right side
Host Header Attack and Vulnerability
URL Rewrite rule to fix host header vulnerability

In addition to the Host Header vulnerability, your security scan tool may flag “Disclosure of private IP address” finding as well. Check this post out to find out the steps to mitigate it: Do not disclose private IP addresses and routing information to unauthorized parties

4 thoughts to “Solution for Host Header Attack and Vulnerability”

  1. Hi,
    Thank you, I have implemented it and it works. But if the HTTP Request doesn’t contain Host header, the rule still running. How to handle that?

    1. The rule is not supposed to be peformed in that scenario! Can you please collect a Failed Tracing Request log and see if the rule is running? If it is running, is the condition matching?

Leave a Reply

Your email address will not be published. Required fields are marked *