Open Redirect/Unauthorized URL redirect via HTTP HOST Header Injection

This article introduces Unauthorized URL redirect/Open redirect via HTTP host header injection. Before
proceeding to explain a bit more about Open redirect attack. I would like to clarify few queries that will come in
our mind.
1. Why HTTP host header needed? Can we proceed without it?
RFC 2616 (sec 14.23) A client MUST include a Host header field in all HTTP/1.1 request messages. If the
requested URI does not include an Internet host name for the service being requested, then the Host header
field MUST be given with an empty value. Any HTTP/1.1 request without host header field must be responded
by server with 400(bad request) status code.
2. What is the main purpose of using HTTP request header?
Application using virtual host and load balancer identifies request by their host header. Server is assigned to
single IP address that may host multiple websites. When request comes to server it will redirect to different
websites by identifying request from host field. Thus, must validate host header before redirect to websites
3. What are the attacks related to host headers?
There are several different types of attacks related to host header injection

 Unauthorized URL Redirect by Cache poisoning

 Password Reset Poisoning
 Access to internal hosts
 Cross site scripting

In this article, I am going to explain Unauthorized URL redirect by Cache poisoning. I will explain other attack
scenario in 2nd part of my article.
Unauthorized URL Redirect by Cache poisoning
1. Cache poisoning- Cache poisoning attack may be possible in load balancer, web application using
reverse proxy via HTTP header injection.
2. Unauthorized URL redirect via single host header
Original Request Tampered HTTP Request

GET / HTTP/1.1 GET / HTTP/1.1

Host: xyz.com Host: attacker.com

[... .. ..] [... .. ..]

[... .. ..] [... .. ..]

 3. Unauthorized URL redirect via 2 host headers

Original Request Tampered HTTP Request:

GET / HTTP/1.1 GET / HTTP/1.1

Host: xyz.com Host: xyz.com

[... .. ..] Host: attacker.com

[... .. ..] [... .. ..]

Note- Different web server behaves differently for duplicate http host header, NGINX uses last host header
to identify the request, Apache/IIS concatenates.

4. Unauthorized URL redirect via X-Forwarded-Host

Original Request: Tampered HTTP Request:

GET / HTTP/1.1 GET / HTTP/1.1

Host: xyz.com Host: xyz.com

[... .. ..] X-Forwarded-Host: attacker.com

[... .. ..] [... .. ..]

Proof of Concept

 Start intercept proxy burp Suite and listen on 127.0.0.1:8080

 Enable invisible proxy option in burp suite
 Navigate to URL: http://www.XXX.com
 Intercept HTTP Request by burp Suite
 Change host header value to microsoft.com
 Application redirected to microsoft.com
 Open another tab and type the URL (i.e. http://www.xyz.com)
 Now it will automatically redirected to microsoft.com as proxy cache is poisoned
Screenshots

Figure1: Burp Suite listen on 127.0.0.1:8080 with invisible proxy enabled

 Figure2: Change Host header field to www.microsoft.com

Figure 3: Application redirected to microsoft.com

Figure 4: Navigate the URL in different tab; it will redirect to microsoft.com

Authored by Syed Reza Rizvi

TCS Enterprise Security and Risk Management