bananasplit bananasplit - 2 months ago 22
HTTP Question

How to exploit HTTP "Host" header XSS vulnerability?

Follow up question of How to exploit HTTP header XSS vulnerability?

Let's say that a page is just printing the value of the HTTP 'Host' header with no escaping. So the page is vulnerable to an XSS attack, i.e. an attacker can craft a GET request with a 'Host' header containing something like alert('xss');.

But how can you actually use this to attack a target? How can the attacker make the target issue that specific request with that specific header?

Answer

The http Host header is basically use as a string to figure out which of (potentially many) named-based hosts in the server configuration should be used to serve up the request.

Let's say you forged up an HTTP request and got this header sent over:

Host: <script>alert('foo');</script>.example.com

The ONLY way this could get through to the PHP script you want to attack is if the webmaster configured the server and site definition to allow that explicit hostname, or has wildcard naming in place, e.g.

<VirtualHost ...
    ServerName www.example.com
    ServerAlias *.example.com
</VirtualHost>

Since the wildcard allows ANYTHING before .example.com, your JS-hostname would get through.

But a vhost configured like this:

<Virtualhost ...>
    Servername www.example.com
    ServerAlias web.example.com
</Virtualhost

would not be vulnerable, because the Host name you've provided is not matched by ANY of the configured hostnames. The request may be handled by some other catch-all vhost, but since your vulnerable script doesn't exist on that site, that's useless to you.