Validate Host header to prevent Host header injection#208
Validate Host header to prevent Host header injection#208Maikuolan merged 2 commits intoshieldfy:masterfrom ayushmanchhabra:host
Conversation
ayushmanchhabra
changed the title
|
What could an invalid Host header be injected into? A reverse proxy is going to not be able to route it to a back-end and a custom app isn't ever going to find any content to serve... Is this just incase your logging analysis platform is vulnerable to xss? |
|
I can definitely see the value of this for certain kinds of APIs, but I don't think it would be necessary for every kind of API out there, and I imagine, could potentially get in the way of normal operation in some cases. A bit contextual, I think. That would then also raise the question of whether we should include contextual checks in the checklist, or leave them be, just including the most standard, common checks in the checklist (and honestly, I have no idea there; it may be a bit more work, but may also be a bit more useful for people that way.. or may not; I don't know). Does anyone else have any thoughts regarding this that they'd be willing to share? For now, I'd rather just leave this pull request open and postpone any decision for whether to merge it or not until there's a bit more feedback from others. |
|
This could be added as part of the This way the recommendation isn't a vague "maybe regex match the header" and also pushes the "no thanks" response all the way out to any loadbalancing / cdn / ssl terminating devices. It also makes it less likely that a random intern from the appsec team won't come and bother the developers |
421 Misdirected Request is exactly what I was thinking of! There have been cases where it is possible to redirect the website to another domain by tampering with the Host header. (Would that come under Host header injection or header based redirection?) My reasoning behind this was if the Host header is validated on every request, it would prevent that class of vulnerability. If there is no host header validation, then the request will be forwarded as usual by thr reverse proxy right? |
|
@ayushmanchhabra I believe you're thinking of "fronting", where the bad guy puts their infra on a popular service, and then uses a random good guy's dns names/certs to talk to the hosting providers' border proxy and they then set With this setup:
I think this is one of the main "reasons" sketchy enterprise security products love to MITM'ing https traffic when you're in the office. It's possible that mis-matched I'm sure somebody has written a howtos nginx/haproxy/caddie/træfic/etc to help prevent this kind of thing |
This makes sense to me |
@Maikuolan @guest20 moved under Access |
There was a problem hiding this comment.
I'll merge this now. 👍
I feel like maybe there are ways we could possibly improve this, by clarifying where it will/won't be useful, maybe by defining terms and such (e.g., SNI), but the same could be said for a lot of already existing entries in the list anyway, people can always use Google to figure out terms and such if need be, what's proposed by the PR is not actually wrong (more/less right depending on context, but eh), I'm not entirely sure what these feelings-of-possible-improvement would ultimately look like, it's easy enough to just send more PRs with more changes if people want more changes made, and this particular PR has been sitting around open for long enough now already, so I'll just go ahead and approve/merge it now.
3 participants
No description provided.