What is HHI (Host Header Injection) & How to Simply Test the Vulnerability
- Definition
Host Header Injection is a web security vulnerability that occurs when an attacker is able to manipulate or inject malicious input into the “Host” header of an HTTP request. The “Host” header is a crucial part of the HTTP protocol and is used by web servers to determine which virtual host or website the client is requesting.
The vulnerability arises when a web application relies on the value of the “Host” header to process requests, and it does not properly validate or sanitize this input. If an attacker can inject a malicious “Host” header, they may be able to manipulate the application’s behavior in unintended ways. An alternative method for manipulating Host headers is by utilizing the X-Forwarded-Host header or Double Host Injection.
In certain setups, this header can overwrite the Host header’s value, enabling the execution of specific requests.
- How to Test the Vulnerability
As long my experience in web penetration testing, here the simple way to detect and test host header injection attack:
GET / HTTP/1.1
Host: www.vulnerable.com
X-Forwarded-Host: www.malicious.comPotentially producing client-side output such as:
[…]
<link src=”http://www.malicious.com/link" />
[…]
or
GET / HTTP/1.1
Host: www.vulnerable.com
Host: www.malicious.comAlso, this may cause a 302 redirect to the supplied domain.
HTTP/1.1 302 Found
[…]
Location: http://www.malicious.com/login
- Conclusion
To mitigate Host Header Injection vulnerabilities, web applications should validate and sanitize user input, especially headers, to ensure that they conform to expected patterns.
Additionally, developers should avoid relying solely on the “Host” header for critical decisions and implement security measures such as strong access controls and input validation. Regular security assessments and testing can help identify and address such vulnerabilities in web applications.
Reference:
https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/