Host Header Poisoning is a type of attack that takes advantage of vulnerabilities in web applications to manipulate the host header value in an HTTP request. By modifying the host header, an attacker can potentially bypass security measures and gain unauthorized access to sensitive information or perform malicious actions on the targeted system.
How Host Header Poisoning Works
In a typical HTTP request, the host header specifies the domain name of the web server that should handle the request. This information is crucial in enabling the web server to route the request to the appropriate virtual host. However, if an application fails to properly validate and sanitize the host header value, it opens up an opportunity for attackers to exploit this weakness.
Here's a basic HTTP request with a modified host header:
GET /page HTTP/1.1
Host: malicious-site.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8In this example, the attacker has replaced the original host header value (e.g., pwn.guide) with their own malicious domain (malicious-site.com). If the web application fails to properly validate and process this header, it may incorrectly treat the request as if it came from the attacker's domain.
Code Example
Host header poisoning can be achieved through various techniques, such as modifying requests in a proxy server or using specific tools. Here's a Python script that demonstrates how an attacker can manipulate the host header value in an HTTP request:
import requeststarget_url = "http://example.com/"
headers = {
"Host": "malicious-site.com",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
}
response = requests.get(target_url, headers=headers)
print(response.text)Note: This code example is for educational purposes only. Engaging in any unauthorized activities or exploiting vulnerabilities without proper authorization is illegal and unethical.
Conclusion
Host Header Poisoning is a critical security vulnerability that can lead to serious consequences if left unchecked. Web applications should implement robust input validation and sanitization techniques to prevent such attacks. By understanding the mechanics and potential impact of host header poisoning, developers and security professionals can better defend against this silent attacker and protect their applications and users.
Try it in pwn.VM!
Try the tutorial in our new online Linux VM provider with a free 1 hour session limit for non subscribers!