Host Header Attack
This proof-of-concept describes a vulnerability in a website's member area that I've analyzed as part of a penetration test.
The vulnerability is also known as host header attack.
The Host Header specifies the domain name that the client wants to access and is a mandatory parameter. Most developer treat this
header as trusted input and do not properly validate or escape it. This allows to manipulate the server behavior.
The attacker must be able to intercept the data flowing between client and server. Therefore, proxy tools such as burpsuite,
mitmproxy or own created scripts are used. It is sufficient to automatically overwrite the host header in order to redirect
the POST requests to an arbitrary server.
Of course, the presence of a proxy tool allows you to do much more like reading the password directly in clear text. In my
opinion the exploitation of this kind of vulnerability is more elegant than others.
Scenario: Forward username and passwort to an arbitrary host
User enters username and password in the login form:
The request is intercepted and the host header replaced with the hostname controlled by the attacker
The server fails to validate the input and responds with the following message:
The browser then follows the redirection URL
And posts the login request with the entered credentials to the attacker's server
On the attacker's side the server logs look like this
Mitigation
Server (and the corresponding load balancer) should be configured to forward requests only to whitelisted domains