Forum Discussion

f5rocks_86658's avatar
f5rocks_86658
Icon for Nimbostratus rankNimbostratus
Apr 24, 2019

Host header injection

If attacker are using diff host header to have MITM attach with host header injection - something like below

 

curl -gv -k -H "Host:; ";;

 

If we want to match host header value with valid host name in the URL (eg. in this case), and then allow, would that be possible with iRule?

 

I'm not succesful to extract host name from the full URL so far :(

 

iRules
security
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 24, 2019

    Hi f5rocks,

    this is an awesome question and outlines a huge discrepancy between the HTTP/1.1 specification (see RFC7230 Section 5.4. last paragraph) vs. how Software Vendors are implementing their web servers.

    Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing

    https://tools.ietf.org/html/rfc7230page-44

    Host of Troubles: Multiple Host Ambiguities in HTTPImplementations

    https://www.icir.org/vern/papers/host-of-troubles.ccs16.pdf

    To counter attacks using multiple HTTP-Headers (accoring to RFC7230) you may take a look to the iRule below.

    Black-Listing request with multiple HOST-Headers

    when HTTP_REQUEST {
    if { [llength [HTTP::header values "Host"]] > 1 } then {
        HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
    } else {
         Allow the request...  
    }
}

    And to counter all remaining issues related to HOST-Headers use a white-listing of the combined HTTP-Host header values.

    White-Listing based on combined HTTP-Host header values

    when HTTP_REQUEST { 
    if { [string tolower [HTTP::header values "Host"]] eq "www.domain.de" } then {
         Allow the request...
    } else {
        HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"  
    }
}

    Cheers, Kai