Skip to content
This repository has been archived by the owner on Oct 21, 2022. It is now read-only.

Host header poisoning #9

Open
sveeke opened this issue Jun 18, 2018 · 1 comment
Open

Host header poisoning #9

sveeke opened this issue Jun 18, 2018 · 1 comment
Labels
bug-security risk-low Security issues with a low impact
Milestone
Pilot 2018

Comments

@sveeke
Copy link
Contributor

sveeke commented Jun 18, 2018

The application appears to trust the user-supplied host header.
@sveeke
Copy link
Contributor Author

sveeke commented Jun 18, 2018

threatLevel="Low" type="Host-Header-Poisoning"

The application appears to trust the user-supplied host header which allows the attacker to load a PNG-file from another server because the HTTP Host header value is used to generate an image link. This is a very bad idea, because the HTTP Host header can be controlled by an attacker. ROS also verified that the links in the password reset e-mail are not using the Host Header. This prevents an attacker from stealing password reset tokens.

Original request:

POST /v1/issuer/issuers HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/create
Content-Length: 57523
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"name":"nn","description":"nnn","email":"[email protected]","url":"https://www.edubadges.nl","image":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAI4AAAB6CAYAAABp/msHAAAgAElEQVR4nKSdd3hUVf7/bzIpQOhdiogFKyrWXVRUehHpHdJ7pveWmUzN1PTQBRTEsrI2RMWCFV17WQVXXXXdr7quBWkhCcnr98dwDzOI+v0+v/s8n+fO3Nx75p5z3ud9Pu2cSHPnzsVoNKLX6/H5fLjdbqqqqtDpdBQVFVFSUoLdbqe0tJTS0lJKSkooKSlh2bJl1NTUYDQaMRqNlJeX4/P50Gg0mM1mLBYLVqsVv99PaWkpeXl5qFQqqqqqKC4uprKyEpVKRUVFBSaTifz8fLRa

<KNIP>

Example request (changed host to radicallyopensecurity.com):

POST /v1/issuer/issuers HTTP/1.1
Host: radicallyopensecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/create
Content-Length: 57523
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"name":"nn","description":"nnn","email":"[email protected]","url":"https://www.edubadges.nl","image":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAI4AAAB6CAYAAABp/msHAAAgAElEQVR4nKSdd3hUVf7/bzIpQOhdiogFKyrWXVRUehHpHdJ7pveWmUzN1PTQBRTEsrI2RMWCFV17WQVXXXXdr7quBWkhCcnr98dwDzOI+v0+v/s8n+fO3Nx75p5z3ud9Pu2cSHPnzsVoNKLX6/H5fLjdbqqqqtDpdBQVFVFSUoLdbqe0tJTS0lJKSkooKSlh2bJl1NTUYDQaMRqNlJeX4/P50Gg0mM1mLBYLVqsVv99PaWkpeXl5qFQqqqqqKC4uprKyEpVKRUVFBSaTifz8fLRa

<KNIP>

Note that in the response the image address is changed to: radicallyopensecurity.com

HTTP/1.1 201 Created
Server: nginx/1.12.2
Date: Sun, 10 Jun 2018 01:19:39 GMT
Content-Type: application/json
Connection: close
Vary: Accept, Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 925

{"created_at":"2018-06-10T01:19:39.622106Z","created_by":"[email protected]","name":"nn","slug":"rwygWIDnR1uBB_i1MPwu_g","image":"http://radicallyopensecurity.com/media/uploads/issuers/issuer_logo_47a13e17-51fb-41cb-b6cc-1d12f7b58114.png","email":"[email protected]","description":"nnn","url":"https://www.edubadges.nl","staff":[{"user":{"first_name":"gg","last_name":"Pentest","email":"[email protected]","slug":"EQmfGQciRuKCC_LzIamehw"},"role":"owner"}],"json":{"@context":"https://w3id.org/openbadges/v1","description":"nnn","url":"https://www.edubadges.nl","email":"[email protected]","type":"Issuer","id":"https://badgr-dev2.edubadges.nl/public/issuers/rwygWIDnR1uBB_i1MPwu_g","name":"nn","image":"https://badgr-dev2.edubadges.nl/public/issuers/rwygWIDnR1uBB_i1MPwu_g/image"},"badgeClassCount":0,"recipientGroupCount":0,"recipientCount":0,"pathwayCount":0}

In the Burp proxy a request is send to the PNG file on the radicallyopensecurity.com server.:

GET /media/uploads/issuers/issuer_logo_47a13e17-51fb-41cb-b6cc-1d12f7b58114.png HTTP/1.1
Host: radicallyopensecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

image

Impact:
This will bypass any server security if an attacker is able to control the contents of the file. The attacker could create a malicious PNG file on it's server.

Recommendation:
The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on.

@sveeke sveeke added the risk-low Security issues with a low impact label Jun 18, 2018
@sveeke sveeke added this to the Pilot 2018 milestone Jun 18, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug-security risk-low Security issues with a low impact
Projects
None yet
Milestone
Pilot 2018
Development

No branches or pull requests
1 participant
@sveeke