[WEB SECURITY] HOST header exploitation

Arian J. Evans arian.evans at anachronic.com
Mon Apr 27 00:38:57 EDT 2009


Can't you still call: xmlhttp.setRequestHeader('Host','trusted.target.com'); ?

That seems to work with most HTTP/web-service APIs.

If I am reading this right the UA is not supposed to allow the host
header to be set by the author when calling open()

http://www.w3.org/TR/2006/WD-XMLHttpRequest-20060405/#dfn-open

Also, does ActiveX have any restrictions today, or is that still
provide wide-open browser control? I did a quick search on MSDN, but
it returned way too many documents to read on a Sunday night.

--
Arian Evans


On Sun, Apr 26, 2009 at 8:13 PM, Andy Steingruebl <steingra at gmail.com> wrote:
>
> Most/all of the holes in browsers that allowed crafting host headers have been fixed.  Java and Flash raw socket support both allow it, but to hit you with it specifically via a web browser attack your site (or a site that shared the same IP but a different CNAME) would need to be hosting the flash/java because of their security rules.
> Now, if someone wants to drop full client-side software, then its a totally different game.
>
> On Sun, Apr 26, 2009 at 6:57 PM, Matt Hellman <mhellman at taxandfinance.com> wrote:
>>
>> I have an application that is vulnerable to HOST header manipulation.  In this case, it's an issue with the authentication framework that eventually appends a session ID to a redirect based on the HOST header. To exploit this weakness, how might an attacker get a victim to submit a request with a crafted HOST header? XHR? Flash? Java?
>>
>> TIA,
>> Matt
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>
>
>
> --
> Andy Steingruebl
> steingra at gmail.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list