HTTP HOST header attacks
•Télécharger en tant que PPTX, PDF•
6 j'aime•19,777 vues
Sergey Belov - HTTP HOST header attacks
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à HTTP HOST header attacks
Similaire à HTTP HOST header attacks (20)
Plus de DefconRussia
Plus de DefconRussia (12)
Dernier
Dernier (20)
HTTP HOST header attacks
- 2. 2 main puproses: Virtual host Proxy balancer GET / HTTP/1.1 Host: www.example.com ...
- 3. Tampering can leak to: Password reset poisoning Cache poisoning Access to internal hosts Cross Site Scripting + filter bypass
- 4. Normal cases: <a href=“//user/page”>page</a> <a href=“http://example.com/user/page”>page</a>
- 5. Possible results after tampering: Error Default host / N/A First virtual host (apache / nginx – 000-default.conf) Tampered header in result html GET / HTTP/1.1 Host: www.evil.com ...
- 6. Test case: 1) Go to password reset page 2) Spoof HOST header to attacker.com 3) Use victim’s email & submit
- 9. Possible victims: • Drupal • Django • Joomla • ...? For developers: • https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS • https://www.drupal.org/node/2221699
- 11. Normal cases: <a href=“//user/page”>page</a> <a href=http://example.com/user/page>page</a>
- 12. 1) Spoof GET / HTTP/1.1 Host: www.evil.com
- 13. 2) Spoof with 2 headers GET / HTTP/1.1 Host: www.example.com Host: www.evil.com
- 14. 3) Spoof with X-Forwarded GET / HTTP/1.1 Host: www.evil.com X-Forwarded-Host: evil.com
- 15. 1,2,3 can leak to perm XSS on server side
- 16. A typical action while penesting – bruteforcing subdomains What about HOST header bruteforcing?
- 17. Let’s try to bruteforce HOST here!
- 18. MSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t good valstr = [ "admin", "services", "webmail", "console", "apps", "mail", "intranet", "intra", "spool", "corporate", "www", "web" ]
- 19. example.com Prefixes • beta.example.com • dev.example.com • ... Zones • example.test • example.dev • example.beta • ... + different combinations https://github.com/BeLove/avhbf - good :)
- 20. Facts: Originally disclosed by @Black2Fan in 2013 HOST header appears in result HTML Works only in IE
- 21. Our goal – Spoof HOST header in request by victim (like a reflected XSS/CSRF)
- 22. Host header after redirect Normal case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com
- 23. Host header after redirect IE (any version) case Response: ... Location: http://example.com%2flogin.php Request: ... Host: example.com/login.php
- 24. GET /login.phphp/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: pl-PL User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: example.com/login.php DNT: 1 Connection: Keep-Alive Cache-Control: no-cache
- 26. XSS filter bypass (original example) http://blackfan.ru %252F<img%252Fsrc='x'onerror=alert(1)> %252F.%252e%252F.%252e%252F%253F%2523
- 27. Now https://sergeybelove.ru/one-button-scan/ can do this check & auto-generate exploits
- 28. http://www.skeletonscribe.net/2013/05/practical-http-host-header- attacks.html https://web.archive.org/web/20131107024350/http://blackfan.ru/ http://www.acunetix.com/blog/articles/automated-detection-of-host- header-attacks/ http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
- 29. Spoof host header while pentesting1!11!!1!!!! Any questions? @sergeybelove