Forum Discussion

Thiyagu's avatar
Thiyagu
Icon for Cirrus rankCirrus
Sep 23, 2019

Is there any option on LTM to prevent Host Header Injection

Hello All,

Is there any option on LTM to prevent Host Header Injection? if so do we need to use irules or can we use an existing policy to accomplish this?

 

Regards,

Thiyagu

  • Hi,

    First what is host header attack (injection)

    The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application.

    if we take the example of SharePoint that can host multiple sites through the same IP. according to the hostname (host header), the request user is FW to the right site/app.

     By using this attack, we can check whether the host is properly validated or not (Owasp rank: A6 (Security Misconfiguration)).

     for mor info:

     https://medium.com/@rockerramg94/host-header-injection-attack-6cf4ffeb5a03

     In order to avoid this kind of attack you can set an irule which allows to filter valid hostnames.

     when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
    		"app1.mydomain.com" -
    		"app2.mydomain.com" -
    		"app3.mydomain.com" {
    		log local0. "Valid Hostname"
    	}
    	default {
    		Drop
    		# you can return a specifi response...
    	}
    }
    }

    You can also use datagroup for hostname...

    keep me in touch if you need more details.

    regards

    • ammacdo's avatar
      ammacdo
      Icon for Nimbostratus rankNimbostratus

      I tried to use this iRule to do the same thing as the OP but I get this message when I try to save the iRule:

      01070151:3: Rule [/Common/HostHeaderProtection] error: /Common/HostHeaderProtection:7: error: [undefined procedure: Drop][Drop]

      Here is my iRule(replaced my host name with host.domain.com):

      when HTTP_REQUEST {
      switch -glob [string tolower [HTTP::host]] {
      "host.domain.com" {
      log local0. "Valid Hostname"
      }
      default {
      Drop
      }
      }
      }