[UE] How to prevent Host Header Injection Vulnerability
Added by mpleader 2 months ago
Hi all,
version:
lighttpd/1.4.54 (ssl) - a light and fast webserver
I have a SECURITY problem in my project; when user modified request header "Host" and visit a non-defined uri, such as
curl -vLk https://myweb.com/nodef -H "Host: attack.target"
will reach response 301 then try connect to https://attack.target/nodef
I thought I can made some setting in lighttpd.conf like:
$HTTP["host"] =~ "myhost" {
#PASS
}
else {
#host be changed by somebody
url.access-deny = ("")
}
But I don't know how to get web run-time host ip/domain in lighttpd.conf
Maybe there is other way to prevent 301 Moved Permanently?
or another way to check $HTTP["host"] be changed?
I has been research many days, I not find much usable tip, I need some advise, thanks.
Replies (4)
RE: How to prevent Host Header Injection Vulnerability - Added by avij 2 months ago
This is not a security problem. If lighttpd responds with a HTTP 301 code, it is up to the client to decide what to do next. curl by default does not follow redirects, but does if you use the -L switch. If it bothers you that curl follows redirects, drop the -L option from your command line.
RE: How to prevent Host Header Injection Vulnerability - Added by gstrauss 2 months ago
I has been research many days, I not find much usable tip, I need some advise, thanks.
That is almost assuredly a lie. Please do provide some details to share with us what you have been doing for multiple days.
Do you understand the concept of a "virtual host"?
or another way to check $HTTP["host"] be changed?
Did you look at the output from curl -v and examine what curl is sending to lighttpd? If lighttpd receives Host: attack.target, then that is what lighttpd receives. There is no "change" for lighttpd to detect unless you have configured lighttpd.conf to allow only the host you specify, as you did in your post above, or could be done more simply with
$HTTP["host"] != "myhost" {
url.access-deny = ("")
}
RE: [UE] How to prevent Host Header Injection Vulnerability - Added by mpleader about 2 months ago
Guys, thanks for response, I'm appreciate.
I think my teammate misunderstand some description of it, they may should NOT use this command as verify way.
curl -vLk https://myweb.com/nodef -H "Host: attack.target"
And OSWAP not mentioned 301 Moved Permanently,
Am I right?
RE: [UE] How to prevent Host Header Injection Vulnerability - Added by gstrauss about 2 months ago
version:
lighttpd/1.4.54 (ssl) - a light and fast webserverI have a SECURITY problem in my project
First security problem is that you do not know how to update your software. lighttpd 1.4.76 is the current stable release of lighttpd.
Second problem is that you have misconfigured your lighttpd.conf. If you want to configure how lighttpd responds to a known virtual host compared to an unknown virtual host, you have to configure lighttpd.conf to recognize the known virtual host.
Third problem is that you're asking on a public forum for us to do your homework for you. Good luck. WikiStart