Attacking thru HTTP Host header
-
Upload
sergey-belov -
Category
Internet
-
view
686 -
download
0
Transcript of Attacking thru HTTP Host header
![Page 1: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/1.jpg)
HTTP HOST header attacks
Sergey Belov@sergeybelove
![Page 2: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/2.jpg)
HOST header
2 main puproses: Virtual host Proxy balancer
GET / HTTP/1.1Host: www.example.com...
![Page 3: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/3.jpg)
HOST header attacks
Tampering can leak to: Password reset poisoning Cache poisoning Access to internal hosts Cross Site Scripting + filter bypass
![Page 4: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/4.jpg)
Password reset poisoning
Normal cases: <a href=“//user/page”>page</a> <a href=“http://example.com/user/page
”>page</a>
![Page 5: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/5.jpg)
Password reset poisoning
Possible results after tampering: Error Default host / N/A First virtual host (apache / nginx – 000-
default.conf) Tampered header in result htmlGET / HTTP/1.1Host: www.evil.com...
![Page 6: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/6.jpg)
Password reset poisoning
Test case:1) Go to password reset page2) Spoof HOST header to attacker.com3) Use victim’s email & submit
![Page 7: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/7.jpg)
Password reset poisoning
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
![Page 8: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/8.jpg)
Password reset poisoning
http://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
![Page 9: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/9.jpg)
Password reset poisoning
Possible victims:• Drupal• Django• Joomla• ...?
For developers:• https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS
• https://www.drupal.org/node/2221699
![Page 10: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/10.jpg)
Cache poisoning
![Page 11: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/11.jpg)
Cache poisoning
Normal cases: <a href=“//user/page”>page</a> <a href=http://example.com/user/page
>page</a>
![Page 13: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/13.jpg)
Cache poisoning
2) Spoof with 2 headers
GET / HTTP/1.1Host: www.example.comHost: www.evil.com
![Page 14: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/14.jpg)
Cache poisoning
3) Spoof with X-Forwarded
GET / HTTP/1.1Host: www.evil.comX-Forwarded-Host: evil.com
![Page 15: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/15.jpg)
Cache poisoning
1,2,3 can leak to perm XSS on server side
![Page 16: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/16.jpg)
Access to internal hosts
A typical action while penesting – bruteforcing subdomainsWhat about HOST header bruteforcing?
![Page 17: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/17.jpg)
Access to internal hosts
Let’s try to bruteforce HOST here!
![Page 18: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/18.jpg)
Access to internal hostsMSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t
goodvalstr = [ "admin", "services", "webmail", "console", "apps", "mail", "intranet", "intra", "spool", "corporate", "www", "web" ]
![Page 19: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/19.jpg)
Access to internal hosts
example.comPrefixes• beta.example.com• dev.example.com• ...
Zones• example.test• example.dev• example.beta• ...
+ different combinations
https://github.com/BeLove/avhbf - good :)
![Page 20: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/20.jpg)
Cross Site Scripting
Facts: Originally disclosed by @Black2Fan in
2013 HOST header appears in result HTML Works only in IE
![Page 21: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/21.jpg)
Cross Site Scripting
Our goal –
Spoof HOST header in request by victim (like a reflected
XSS/CSRF)
![Page 22: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/22.jpg)
Cross Site Scripting
Host header after redirect Normal caseResponse:...Location: http://example.com%2flogin.php
Request:...Host: example.com
![Page 23: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/23.jpg)
Cross Site Scripting
Host header after redirect IE (any version) caseResponse:...Location: http://example.com%2flogin.php
Request:...Host: example.com/login.php
![Page 24: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/24.jpg)
Cross Site Scripting
GET /login.phphp/ HTTP/1.1Accept: text/html, application/xhtml+xml, */*
Accept-Language: pl-PLUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflateHost: example.com/login.phpDNT: 1Connection: Keep-AliveCache-Control: no-cache
![Page 25: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/25.jpg)
Cross Site Scripting
![Page 26: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/26.jpg)
Cross Site Scripting
XSS filter bypass (original example)
http://blackfan.ru%252F<img%252Fsrc='x'onerror=alert(1)>
%252F.%252e%252F.%252e%252F%253F%2523
![Page 27: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/27.jpg)
Cross Site Scripting
Nowhttps://sergeybelove.ru/one-button-scan/
can do this check & auto-generate exploits
![Page 28: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/28.jpg)
Links http://www.skeletonscribe.net/2013/05/practical-http-host-head
er-attacks.html https://web.archive.org/web/20131107024350/http://blackfan.ru/ http://www.acunetix.com/blog/articles/automated-detection-of-h
ost-header-attacks/ http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.ht
ml
![Page 29: Attacking thru HTTP Host header](https://reader033.fdocuments.us/reader033/viewer/2022052418/58777d3b1a28abc85f8b4dff/html5/thumbnails/29.jpg)
Finish
Spoof host header while pentesting1!11!!1!!!!
Any questions?
@sergeybelove