Tom Monroe
asked on
Help with a vulnerability report
I've been tasked to resolve this vulnerability but i cant figure out where to even update this at. Where does one go on their servers to change this? Its flagged for our email domain.
Mail.domaiin.com
Vulnerability Class Improper Input Handling
Additional Information host_header
Status Open
URL - Mail.domain.com
Rating Medium (customized)
Opened 2018-07-17 06:38:56 -0700
Custom Solution In Apache (http://httpd.apache.org/docs/trunk/vhosts/examples.html#defaultallports) and Nginx
(https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/) you can make SERVER_NAME trustworthy
which can be done by creating a dummy vhost that catches all requests with invalid Host headers. Another method under
Nginx is to specify a non-wildcard SERVER_NAME (http://nginx.org/en/docs/http/server_names.html) and under Apache
you can use a non-wildcard serverName (http://httpd.apache.org/docs/2.2/mod/core.html#servername) and turning the
UseCanonicalName directive on.
In IIS one method is to have proper bindings setup with a specified host header
(https://www.iis.net/configreference/system.applicationhost/sites/site/bindings/binding) so that if someone changes the host
header it will not reach the web site on IIS.
Alternatively, at the application level, you can attempt to validate any values coming from the Host or X-Forwarded-Host
request headers using a whitelist of acceptable values. You can also choose not to use host header values that come from
The application uses the input coming from the Host or X-Forwarded-Host request headers as part of the response
without proper validation. Information from these headers should not be trusted as it is just another client side value an
attacker can tamper with which can result in unintended behavior. Practical attacks were discussed in the article
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html and involve hijacking links and resources in
the response.
Examples:
<link href="http://_SERVER['HOST']/">
<script src="http://_SERVER['HOST']/misc/jquery.
To reproduce the vulnerability follow these steps:
1) Determine if the request discovered was placed authenticated or unauthenticated and login as necessary.
2) Place the request discovered in the attack vector details
3) Intercept the request using a proxy tool
4)
- If the query string contains the value 'host_header=host', edit the "Host: YOURSITE" request header to "Host:
host.whitehatsec.com".
- If the query string contains the value 'x_forwarded_host=host', add the request header "X-Forwarded-Host:
host.whitehatsec.com"
6) Forward the edited request
7) Search for "host.whitehatsec.com" in the response and observe that the injection reflects
This demonstrates that the application is using the value of the "Host" or "X-Forward-Host" header in its response. This
is vulnerable behavior because the user can control the values of the request headers.
References
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
Mail.domaiin.com
Vulnerability Class Improper Input Handling
Additional Information host_header
Status Open
URL - Mail.domain.com
Rating Medium (customized)
Opened 2018-07-17 06:38:56 -0700
Custom Solution In Apache (http://httpd.apache.org/docs/trunk/vhosts/examples.html#defaultallports) and Nginx
(https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/) you can make SERVER_NAME trustworthy
which can be done by creating a dummy vhost that catches all requests with invalid Host headers. Another method under
Nginx is to specify a non-wildcard SERVER_NAME (http://nginx.org/en/docs/http/server_names.html) and under Apache
you can use a non-wildcard serverName (http://httpd.apache.org/docs/2.2/mod/core.html#servername) and turning the
UseCanonicalName directive on.
In IIS one method is to have proper bindings setup with a specified host header
(https://www.iis.net/configreference/system.applicationhost/sites/site/bindings/binding) so that if someone changes the host
header it will not reach the web site on IIS.
Alternatively, at the application level, you can attempt to validate any values coming from the Host or X-Forwarded-Host
request headers using a whitelist of acceptable values. You can also choose not to use host header values that come from
The application uses the input coming from the Host or X-Forwarded-Host request headers as part of the response
without proper validation. Information from these headers should not be trusted as it is just another client side value an
attacker can tamper with which can result in unintended behavior. Practical attacks were discussed in the article
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html and involve hijacking links and resources in
the response.
Examples:
<link href="http://_SERVER['HOST']/">
<script src="http://_SERVER['HOST']/misc/jquery.
To reproduce the vulnerability follow these steps:
1) Determine if the request discovered was placed authenticated or unauthenticated and login as necessary.
2) Place the request discovered in the attack vector details
3) Intercept the request using a proxy tool
4)
- If the query string contains the value 'host_header=host', edit the "Host: YOURSITE" request header to "Host:
host.whitehatsec.com".
- If the query string contains the value 'x_forwarded_host=host', add the request header "X-Forwarded-Host:
host.whitehatsec.com"
6) Forward the edited request
7) Search for "host.whitehatsec.com" in the response and observe that the injection reflects
This demonstrates that the application is using the value of the "Host" or "X-Forward-Host" header in its response. This
is vulnerable behavior because the user can control the values of the request headers.
References
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have recommended this question be closed as follows:
Accept: 'Dr. Klahn' (https:#a42626715)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer