Host Header or HTTP Host Header
The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application. Each web application hosted on the same IP address is commonly referred to as a virtual host.
Host header is a piece of information that can be used to identify web domain. For example host header for the URL
https://www.wartalab.blogspot.com is www.wartalab.blogspot.com.
The Host header specifies the domain name of the server.
Host Header Injection Prevention in PHP
As a web developer, you must know about host header injection so that you can secure your web application from malicious attacks.
What is Host Header Injection?
A host header injection exploits the vulnerability of some websites to accept host headers indiscriminately without validating or altogether escaping them.
This is dangerous because many applications rely on the host header to generate links, import scripts, determine the proper redirect address, generate password reset links, etc. So when an application retrieves the host header, it may end up serving malicious content in the response injected there.
An example would be a request to retrieve your e-banking web page: https://www.your-ebanking.com/login.php.
If the attacker can tamper with the host header in the request, changing it to https://www.attacker.com/login.php, this fake website could be served to users and trick them into entering their login credentials.
The above is a rough example of how a host header could be injected. A successful host header injection could result in web cache poisoning, password reset poisoning, access to internal hosts, cross-site scripting (XSS), bypassing authentication, virtual host brute-forcing, and more!
How to Prevent Host Header Injection in PHP
Copy the given below code and paste in your web application common file like header
<?php
$allowed_host = array('www.wartalab.blogspot.com', 'www.demos.wartalab.blogspot.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_host))
{
header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
exit;
}
?>
How to prevent Host header attacks?
Depending on your configuration type, there are different ways you can prevent host header injections. Of course, the most straightforward approach is to distrust the host header at all times and not use it in server-side code. This simple change can essentially eliminate the possibility of a host header attack being launched against you.
However, this may not always be possible, and if you need to use the host header, you should consider implementing the following measures.
Use relative URLs as much as possible.
Start by considering whether your absolute URLs are vital. Frequently, it is possible to use relative URLs instead.
If you need to use specific absolute URLs, such as transactional emails, the domain must be specified in the server-side configuration file and taken from there. This eliminates the possibility of password reset poisoning, as it will not refer to the host header when generating a token.
Validate Host headers
User input must always be considered unsafe and should be validated and sanitized first. One way to validate host headers, where needed, is to create a whitelist of permitted domains and check host headers in incoming requests against this list. Respectively, any hosts that are not recognized should be rejected or redirected.
To understand how to implement such a whitelist, see the relevant framework documentation.
When validating host headers, you must also establish whether the request came from the original target host or not.
Whitelist trusted domains
Already at the development stage, you should whitelist all trusted domain names from which your reverse proxy, load balancer, or other intermediary systems are allowed to forward requests. This will help you prevent routing-based attacks such as a Server-Side Request Forgery (SSRF).
Implement domain mapping
Map every origin server to which the proxy should serve requests, i.e., mapping hostnames to websites.
Reject override headers
Host override headers, such as X-Host and X-Forwarded-Host, are frequently used in header injections. Servers sometimes support these by default, so it’s essential to double-check that this is not the case.
Avoid using internal-only websites under a virtual host
Host headers injections can be used to access internal (private) domains. Avoid this scenario, do not host public and private websites on the same virtual host.
Create a dummy virtual host
If you use Apache or Nginx, you can create a dummy virtual host to capture requests from unrecognized host headers (i.e., forged requests) and prevent cache poisoning.
Fix your server configuration
Host header injections are frequently due to default settings, and faulty or old server configurations. Inspecting and fixing your server configuration can eliminate significant vulnerabilities that open the door for injections.
Hope you understood how to prevent host header inject in PHP. If you liked this article, please share with others.
No comments:
Post a Comment