Unauthorized URL redirect via HTTP HOST header injection- A deep inside

This article introduces Unauthorized URL redirect/Open redirect via HTTP host header injection.A client MUST include a Host header field in all HTTP/1.1 request messages. If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value. Any HTTP/1.1 request without host header field must be responded by server with 400(bad request) status code.Application using virtual host and load balancer identifies request by their host header. Server is assigned to single IP address that may host multiple websites. When request comes to server it will redirect to different websites by identifying request from host field. Thus, must validate host header before redirect to websites.There are several different types of attacks related to host header injection
  •  Unauthorized URL Redirect by Cache poisoning
  •  Password Reset Poisoning
  •  Access to internal hosts
  •  Cross site scripting
To explore the full article, please open the attached pdf
Authored by Syed Reza Rizvi
TCS Enterprise Security and Risk Management 
Rate this article: 
Average: 2.8 (10 votes)
Article category: