Description

In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts and even generate password resets links with its value. This is a very bad idea, because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails.

Remediation

The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. Consult references for detailed information.

References

Practical HTTP Host header attacks

Apache

nginx

Automated Detection of Host Header Attacks

Related Vulnerabilities

Django Improper Input Validation Vulnerability (CVE-2019-3498)

Sqlite Improper Input Validation Vulnerability (CVE-2017-13685)

RubyGems Improper Input Validation Vulnerability (CVE-2017-0901)

WordPress Improper Input Validation Vulnerability (CVE-2008-2392)

OpenSSL Improper Input Validation Vulnerability (CVE-2016-6305)

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality