As the name says, this attack occurs due to modification in Host header which can be intercepted with any TCP proxy like Burp Suite. This attack is very simple to perform and can be performed with minimum expertise.
What is the reason behind host header injection?
Shared hosting have multiple websites running on same web server (i.e having same IP), so to make it work web applications use host header to distinguish between requests. Although this is very risky as host header can be easily manipulated on the client side and it may result in cache poisoning, XSS or account takeover.
Attack scenario 1
When we send a GET request to a web server a MITM proxy can intercept the request, set its host header to attacker.com and forward the request which will fetch modified data like fake facebook login pages or fake gmail pages and result in credentials theft.
Attack scenario 2
Second attack scenario occurs where user have a search functionality. So if we put some invalid data on search bar, site will show no results found with a Go back button. This button may use host header in back-end to redirect user back to the main website. Here we can put some XSS payload in X-Forwarded-Host header to test for vulnerability. If vulnerable, site will run that evil java-script code. To know more about this header X-Forwarded-Host .
NOTE: X-FORWARDED-HOST overwrites HOST header value.
Attack scenario 3
The third attack scenario is password reset functionality. When user click reset password, a unique link is sent to user registered email and when user click on that link s/he get redirected to genuine website with option to enter new password. So the attack surface here is when we use X-Forwarded-Host: evil.com then a unique link will be mailed to the user but when user will click on that s/he will be redirected to evil.com with its unique token. Attacker will grab that unique token and reset that user password leading to account takeover.
That reset request will look like https://evil.com?token=zcxndkjasdkadskashdkjashd54654asd. Attacker will take out token value and make this request https://genuinesite.com?token=zcxndkjasdkadskashdkjashd54654asd. This will take attacker to user’s reset page.
There are many other different scenarios but at-last you have to find what is happening on the background and proceed accordingly.
How can we mitigate this?
Man in the middle attacks are very hard to mitigate and can only be avoided by the user itself. Keep an eye on the address bar and do not trust sites with no SSL.
Developers needs to disable X-Forwarded-Host header
As in web security everybody knows no user data can be trusted, so dependency of host header in a web application should be kept to minimal.
Thanks for reading. Stay Tuned for more 😉