Forum Discussion

f5rocks_86658's avatar
f5rocks_86658
Icon for Nimbostratus rankNimbostratus
Apr 24, 2019

Host header injection

If attacker are using diff host header to have MITM attach with host header injection - something like below   curl -gv -k -H "Host:; ";;   If we want to match host header value with valid host...
iRules
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 24, 2019

Hi f5rocks,

this is an awesome question and outlines a huge discrepancy between the HTTP/1.1 specification (see RFC7230 Section 5.4. last paragraph) vs. how Software Vendors are implementing their web servers.

Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing

https://tools.ietf.org/html/rfc7230page-44

Host of Troubles: Multiple Host Ambiguities in HTTPImplementations

https://www.icir.org/vern/papers/host-of-troubles.ccs16.pdf

To counter attacks using multiple HTTP-Headers (accoring to RFC7230) you may take a look to the iRule below.

Black-Listing request with multiple HOST-Headers

when HTTP_REQUEST {
    if { [llength [HTTP::header values "Host"]] > 1 } then {
        HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
    } else {
         Allow the request...  
    }
}

And to counter all remaining issues related to HOST-Headers use a white-listing of the combined HTTP-Host header values.

White-Listing based on combined HTTP-Host header values

when HTTP_REQUEST { 
    if { [string tolower [HTTP::header values "Host"]] eq "www.domain.de" } then {
         Allow the request...
    } else {
        HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"  
    }
}

Cheers, Kai