Forum Discussion
Host header vulnerability
This interesting vulnerability was found with a simple redirect irule by injecting a bad actor site as a host header, the F5 will redirect based on the host header and not on the host within the URL itself.
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
curl -H Host:evil.net foobar.com -i
HTTP/1.0 301 Moved Permanently
Location: https://evil.net/ Server: BigIP Connection: Keep-Alive Content-Length: 0See this article for more details https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
What would you suggest as the best way to mitigate/fix this?
6 Replies
that is how HTTP works, if you look at an HTTP request (with F12 in most browsers) you will see it sends an URI to an IP (which it resolved from the hostname) and a Host header. some other headers also, but those don't matter here.
so the only way* the device you send such a request to knows for which host it is is the Host header. and if you use that value for something it might turn out weird.
there is little you can do except if you know which hosts are used on your virtual server only allow those and drop all requests with different Host headers.
*) yes there is SNI, but that only works for HTTPS.
- Stanislas_Piro2
Cumulonimbus
when you enter in the address bar the following URL :
https://foobar.com/mypath.php
the HTTP request is:
GET /mypath.php HTTP/1.1 Host: foobar.com User-Agent: Mozilla ..... ...
this is how HTTP works.
you can filter allowed host header values with this code:
when RULE_INIT { set static::allowed_hosts [list foobar.com www.foobar.com www.company.com] } when HTTP_REQUEST { if {[lsearch [string tolower [HTTP::host]] $static::allowed_hosts] != -1} HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" }
- Hannes_Rapp_162
Nacreous
Yup, as noted, this is not a vulnerability. I understand auditors must at all times provide as many vulnerability findings to justify their job but I've not yet met anyone provide me crap that does not relate to security at all. If one of your clients is a victim of a MITM attack, he is susceptible to worse things than HTTP Host rewrites. If there's a takeaway, consider another security audit firm, or ask for someone who knows his stuff a bit better.
The only vulnerability I see here is that "BigIP" is exposed as value of Server header. This qualifies as "low risk" security issue because attacker can use this information to look for existing exploits against BigIP software, or use the knowledge to his advantage in any other way.
- goyogi
Nimbostratus
Thanks for all of the feedback. It's much appreciated. I suppose I can put in a rule that says if host /= *.foobar.com then drop and log.
Something like this
priority 150 when HTTP_REQUEST {
if {not(([string tolower [HTTP::header values Host]]) contains "foobar.com")} { log local0. "block.host.header.redirect.irule dropped connection from [IP::client_addr]" drop } }
- Hannes_Rapp
Nimbostratus
Yup, as noted, this is not a vulnerability. I understand auditors must at all times provide as many vulnerability findings to justify their job but I've not yet met anyone provide me crap that does not relate to security at all. If one of your clients is a victim of a MITM attack, he is susceptible to worse things than HTTP Host rewrites. If there's a takeaway, consider another security audit firm, or ask for someone who knows his stuff a bit better.
The only vulnerability I see here is that "BigIP" is exposed as value of Server header. This qualifies as "low risk" security issue because attacker can use this information to look for existing exploits against BigIP software, or use the knowledge to his advantage in any other way.
- goyogi
Nimbostratus
Thanks for all of the feedback. It's much appreciated. I suppose I can put in a rule that says if host /= *.foobar.com then drop and log.
Something like this
priority 150 when HTTP_REQUEST {
if {not(([string tolower [HTTP::header values Host]]) contains "foobar.com")} { log local0. "block.host.header.redirect.irule dropped connection from [IP::client_addr]" drop } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com