Security and Technology

HTTP Host Header Injections – Learn Penetration Testing & Ethical Hacking

This post explains HTTP host header poisoning , and the consequences.

Hello again ,
This time we are going to explain in details an old limited vulnerability , Injecting host header.
Since you can not force a browser to issue an HTTP request that has injected host header , so this vulnerability can not exploited directly against users , Internet explorer only the vulnerable browser that can issue an injected host header when it get redirected this was discovered by sergey bobrov and microsoft did not fix it quickly , this bug is fixed on windows Ten , Windows 7 still vulnerable.

The impact of injecting host header
– Cache poisoning
– Password-Reset links hijacking.

First let’s explain the cache poisoning.
What is cache? let’s assume that you browsed a newspaper or magazine and this website allows you to choose multiple options to customize your feeds , so you will choose your country ,area favorite aspect .. etc , then the web application takes your input , searches the back-end and displays the result to you , this process might take some time , so they invented caching to give you the last result instead of repeating the previous process.
Now what if you can alter this result , this means that may another user request the same resource and so the Cache server responds with your malicious result , this can lead to other consequences like defacement or phishing and so.

Second hijacking password reset links or codes.

When you forget your facebook , and you request a new one facebook will email you with a link contains a 6 digits code as the following
http://ift.tt/2fvrCOx

This what happens on front-end . What about the back end.

First facebook generates random code , then construct a url , and sends it to you.

$code=Get_random_code(6);
$host=Get_Host();
$id=Get_user_id();
$email=Get_user_email();
$link=”http://”.$host.”/rest/?pid=”.$id.”&code=”.$code;
mail($email,$link);
[/php]

Look at the code , some functions does not exist , only on my mind , the code is not the matter , but our main point here is how the web application gets the host before constructing the link . let’s talk about another website , facebook is not vulnerable to this issue , let’s suppose mysocial.com is vulnerable to host header injection so he takes your host and print it .

In php , some developers trust user host , they think it can not be edited so :
$host=$_SERVER[HTTP_HOST];

This value is controlled by an attacker.
Now the web application thinks that the user forgot his password , and they should send them a link to reset it the code will be as :

$code=rand(9,20);
$host=$_SERVER[HTTP_HOST];
$email=Get_user_email();
$link=”http://”.$host.”/account/reset.php?code=”.$code;
mail($email,$link);
[/php]

Did you noticed $host=$_SERVER[HTTP_HOST]; in PHP this value is set by end user , [SERVER_NAME is not] , so now what if an attacker set this value to evil.com , the final link that will be sent to the real user becomes as :
http://ift.tt/2fcPanB
This link now will be sent to the real user.
Then the attacker which owns evil.net will create a new directory on his website named as account , inside this directory he will create a new file named reset.php this file will contains the follwoing code

$codevalue=$_GET[‘code’];
file_put_contents(‘stolen.txt’,$codevalue);

What is ? it is a real phishing attack performed with a help from the web application itself , the attacker now takes the real code or hash and can reset the password for the victim user , assuming that the victim will think the link is broken.

Now we explained what is Host Injections.
How to detect it , it is like normal xss , you have to inject something and see if it is reflected or not .
Using your curl on your unix machine , this command is fair enough to detect host injection.

Curl -H ‘Host: evil.com’ http://ift.tt/1ioHsFF -i

For windows users you can use burp repeater but you need to write the request , or use our pretty tool Host injector it has some auto-generated payloads to bypass some filters .

SEE YOU

The post HTTP Host Header Injections appeared first on Learn Penetration Testing & Ethical Hacking. http://ift.tt/2fcLv9c http://ift.tt/2aM8QhC

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s