Professional Documents
Culture Documents
This article introduces Unauthorized URL redirect/Open redirect via HTTP host header injection. Before
proceeding to explain a bit more about Open redirect attack. I would like to clarify few queries that will come in
our mind.
1. Why HTTP host header needed? Can we proceed without it?
RFC 2616 (sec 14.23) A client MUST include a Host header field in all HTTP/1.1 request messages. If the
requested URI does not include an Internet host name for the service being requested, then the Host header
field MUST be given with an empty value. Any HTTP/1.1 request without host header field must be responded
by server with 400(bad request) status code.
2. What is the main purpose of using HTTP request header?
Application using virtual host and load balancer identifies request by their host header. Server is assigned to
single IP address that may host multiple websites. When request comes to server it will redirect to different
websites by identifying request from host field. Thus, must validate host header before redirect to websites
3. What are the attacks related to host headers?
There are several different types of attacks related to host header injection
In this article, I am going to explain Unauthorized URL redirect by Cache poisoning. I will explain other attack
scenario in 2nd part of my article.
Unauthorized URL Redirect by Cache poisoning
1. Cache poisoning- Cache poisoning attack may be possible in load balancer, web application using
reverse proxy via HTTP header injection.
2. Unauthorized URL redirect via single host header
Original Request Tampered HTTP Request
Note- Different web server behaves differently for duplicate http host header, NGINX uses last host header
to identify the request, Apache/IIS concatenates.
Proof of Concept