Forum Discussion

Nimbostratus

Dec 08, 2017

Host header vulnerability

This interesting vulnerability was found with a simple redirect irule by injecting a bad actor site as a host header, the F5 will redirect based on the host header and not on the host within the URL ...

iRules

security

Hannes_Rapp_162

Nacreous

Dec 11, 2017

Yup, as noted, this is not a vulnerability. I understand auditors must at all times provide as many vulnerability findings to justify their job but I've not yet met anyone provide me crap that does not relate to security at all. If one of your clients is a victim of a MITM attack, he is susceptible to worse things than HTTP Host rewrites. If there's a takeaway, consider another security audit firm, or ask for someone who knows his stuff a bit better.

The only vulnerability I see here is that "BigIP" is exposed as value of Server header. This qualifies as "low risk" security issue because attacker can use this information to look for existing exploits against BigIP software, or use the knowledge to his advantage in any other way.

goyogi
Nimbostratus
Dec 11, 2017
Thanks for all of the feedback. It's much appreciated. I suppose I can put in a rule that says if host /= *.foobar.com then drop and log.

Something like this

block any redirects to another domain
priority 150 when HTTP_REQUEST {

log local0. "Received connection from [IP::client_addr]"
if {not(([string tolower [HTTP::header values Host]]) contains "foobar.com")} { log local0. "block.host.header.redirect.irule dropped connection from [IP::client_addr]" drop } }