Abusing HTTP Misconfigurations

Bypassing Flawed Validation

If a web application uses the host header for any purpose, it is not uncommon for the application to implement certain checks to attempt to catch requests with manipulated host headers. In this section, we will have a look at a flawed validation function that leaves the web application vulnerable to host header attacks.

Identification

Let's assume our target web application resides at bypassingchecks.htb. When we visit the domain, we can see a simple web application that tells us that it implements host header validation:

Looking at the network traffic in Burp, we can see that the application uses absolute URLs to load resources such as stylesheets and script files:

However, when we attempt to send a request with an arbitrary host header, the application responds with an error message, indicating that some sort of host header validation is implemented:

Exploitation

To bypass the implemented filters we need to think about how it might work and what kind of loopholes may exist. We can deduce from the behavior that the web application probably implements a filter that checks the supplied host header against a pre-configured domain stored in a configuration file. Supplying an arbitrary domain in the host header will thus be caught by the filter. However, there may be other ways to bypass it.

For instance, since web applications may run on a non-default port during testing, the validation function that parses the host header might omit the port. We could try this by specifying an arbitrary port in the host header:

GET / HTTP/1.1
Host: bypassingchecks.htb:1337

The web application does not respond with an error message but accepts the supplied host header and constructs the absolute links with the incorrect port we provided. If we could combine this with a web cache poisoning attack, the result is a defacement attack, meaning the target website is defaced by malicious input. If we display the response in the browser we can see that the website now looks completely different. That is because the link to the stylesheet is broken and does not load the stylesheet properly. This also affects the script file loaded with an absolute link, thus also potentially breaking the functionality of the target site:

However, a defacement attack does not allow us to attack other users directly. Another common flaw in host header validation is that only the postfix of the domain is checked. This allows for subdomains to pass the host header validation as well. However, if the filter does not properly check if the host header indeed contains a subdomain of the target domain by checking for the separating dot, we might be able to supply a host header that contains the intended domain as a postfix. For instance, we can trick the filter by sending a request like this:

GET / HTTP/1.1
Host: evilbypassingchecks.htb

We can register the domain evilbypassingchecks.htb which is entirely independent of the domain bypassingchecks.htb and then exploit the host header attack vectors discussed previously, such as web cache poisoning or password reset poisoning.

Bypassing Blacklists

While the above example implements a (flawed) whitelist approach, some applications also implement a less secure blacklist approach. Blacklist implementations are generally easier to bypass since they only block what was explicitly thought of by the developers. Assume that a web application implements a blacklist filter for the host header that prevents access with a host header containing localhost or something equivalent. The most trivial blacklist may only contain localhost and 127.0.0.1. However, there are many other values with the same meaning that an attacker could use to bypass this blacklist.

For instance, an attacker can supply the IP address in hexadecimal encoding: 0x7f000001. We can verify that this is indeed equivalent to localhost by running the ping command:

[!bash!]$ ping 0x7f000001 -c 1
PING 0x7f000001 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms

--- 0x7f000001 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms

We can see that 0x7f000001 gets resolved to localhost. Following is a list of further options we could provide to bypass such a filter. We can again run a ping command with these values to confirm that they are equivalent to localhost:

Decimal encoding: 2130706433
Hex encoding: 0x7f000001
Octal encoding: 0177.0000.0000.0001
Zero: 0
Short form: 127.1
IPv6: ::1
IPv4 address in IPv6 format: [0:0:0:0:0:ffff:127.0.0.1] or [::ffff:127.0.0.1]
External domain that resolves to localhost: localtest.me

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 10 Try to use what you learned in this section to bypass the authentication check via host header manipulation and obtain the flag.

+10 Streak pts

Previous Next

Go to Questions

Introduction to HTTP Misconfigurations

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Web Cache Poisoning - General

Identify a way to determine keyed & unkeyed parameters
Use Cache Buster to prevent poisoning other users
Deliver payload in unkeyed parameter to poison the cache

Web Cache Poisoning - Fat GET

GET requests with body
Web server may be vulnerable if it does not ignore the body
Can be used to poison the cache even with a keyed parameter
Example:

GET /index.php?param1=Hello&param2=World HTTP/1.1
Host: 127.0.0.1
Content-Length: 10

param3=123

Web Cache Poisoning - Parameter Cloaking

Discrepancy in the parsing of parameters between web cache and web server
Can be used to poison the cache even with a keyed parameter
Payload needs to be hidden in unkeyed parameter
Example:

GET /?language=en&a=b;language=de HTTP/1.1
Host: 127.0.0.1

Web Cache Poisoning Scanner

Command	Description
`./wcvs -u http://simple.wcp.htb/`	Simple scan of a website
`./wcvs -u http://simple.wcp.htb/ -gr`	Generate a JSON report

Host Header Attacks

Override Headers:

X-Forwarded-Host
X-HTTP-Host-Override
Forwarded
X-Host
X-Forwarded-Server

Generating a wordlist for Fuzzing:

for a in {1..255};do
    for b in {1..255};do
        echo "192.168.$a.$b" >> ips.txt
    done
done

Using ffuf to fuzz the host header:

ffuf -u http://IP:PORT/admin.php -w ips.txt -H 'Host: FUZZ'

Bypassing blacklist filters for localhost:

Decimal encoding: 2130706433
Hex encoding: 0x7f000001
Octal encoding: 0177.0000.0000.0001
Zero: 0
Short form: 127.1
IPv6: ::1
External domain that resolves to localhost: localtest.me

Session Puzzling

Session IDs should be at least 16 bytes long
Session IDs should provide at least 64 bits of entropy
Test for insecure default values in session variables
Test for common session variables/session variable re-use across different processes
Test for premature session population of session variables by canceling/manipulating processes unexpectedly