Input Validation / Host Header Injection

Description

Host Header Injection (CWE-113) is an input validation vulnerability that occurs when user-supplied input from the HTTP header is not properly sanitized and is then used to generate dynamic content. This vulnerability allows an attacker to manipulate the content of a web page or API response, which can lead to unintended consequences such as authentication bypass, data leakage, and even system compromise. As described in the OWASP Testing Guide, the most common attack vector for Host Header Injection is the injection of malicious JavaScript code into the application's response.

Risk

Host Header Injection can have serious consequences, as it can allow an attacker to bypass authentication mechanisms, access sensitive data, and even gain full control of the affected system. An attacker could also use this vulnerability to launch further attacks, such as cross-site scripting (XSS) and SQL injection attacks, to compromise the application.

Solution

The best way to prevent Host Header Injection is to properly sanitize user-supplied input by validating and filtering it before it is used to generate dynamic content. Input validation should be performed at the application layer and should include checks for malicious patterns, such as JavaScript code. Additionally, the application should be configured to reject requests that contain invalid or unexpected Host headers.

Example

The following example, taken from CVE-2018-10023, illustrates a Host Header Injection vulnerability in Apache Tomcat. In this example, an attacker can inject malicious JavaScript code into the application's response by supplying a malicious Host header in an HTTP request.

GET /example.html HTTP/1.1
Host: <script>alert("XSS")</script>