CodeIgniter Forums

Full Version: Host Header Attack
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
[attachment=852]
Hi guys, i got this issue from IT-Sec, i have read and search thouroghly but i still can't find any actual solution to fix this issue.

Here it is.

Quote:
Quote:"HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels. Pentester try to request with modify header host. and the response result showing with the modify host header. affected files:
Quote:
  1. app/formulir
  2. app/kompensasi
  3. app/panduan-agen
  4. app/produk-dan-layanan
  5. app/tentang
  6. app/tentang-
  7. app/training
The impact of this vulnerability An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways."

Recommended solution thus far is :

Quote:The web application should use the SERVER_NAME instead of the Host header

This app are running on xampp with reverse proxy setting for testing. I already do 3 changes to config.php, but the issue is still there. Here is the code.

1.
PHP Code:
if(isset($_SERVER[SERVER_NAME])) { 
$config['base_url'] = isset($_SERVER['HTTPS']) &&  strtolower($_SERVER['HTTPS']) == 'on' 'https' 'http';
$config['base_url'] = '://'$_SERVER['SERVER_NAME'];
$config['base_url'] = str_replace(basename($_SERVER['SCRIPT_NAME']), ''$_SERVER['SCRIPT_NAME']);
}
else{
$config['base_url'] = '';


2.
Quote:
Code:
$config['base_url'] = 'http://$_SERVER[SERVER_NAME]';

PHP Code:
$config['base_url'] = 'https://jktdc.*********.com/app' 

What im asking is, how/where/what exactly i have to change/add to fix this issue. [b]Thanks a lot.

PS : the response header is on the attachment.[/b]
We use this in the index.php

PHP Code:
$default_domain 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');

if ( ! 
function_exists('is_https_on'))
{
 
   /**
     * Is HTTPS?
     *
     * Determines if the application is accessed via an encrypted
     * (HTTPS) connection.
     *
     * @return bool
     */
 
   function is_https_on()
 
   {
 
       if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
 
       {
 
           return TRUE;
 
       }
 
           elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
 
       {
 
           return TRUE;
 
       }
 
       elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
 
       {
 
           return TRUE;
 
       }

 
       return FALSE;
 
   }
}

$protocol 'http://';
if ( 
is_https_on() && USE_HTTPS ) {
 
   $protocol 'https://';
}
// define protocol
define('PROTOCOL'$protocol); 

The check if the HTTP_HOST is within the allowed domains

PHP Code:
if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
 
   $_SERVER['HTTP_HOST'] = $default_domain;


The set a constant
PHP Code:
define('BASE_URL'PROTOCOL.$_SERVER['HTTP_HOST']); 

And in the config
PHP Code:
$config['base_url'] = BASE_URL

Spoofing the HTTP_HOST header will have no effect this way
(04-20-2017, 04:01 AM)Martin7483 Wrote: [ -> ]We use this in the index.php

PHP Code:
$default_domain 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');

if ( ! 
function_exists('is_https_on'))
{
 
   /**
     * Is HTTPS?
     *
     * Determines if the application is accessed via an encrypted
     * (HTTPS) connection.
     *
     * @return bool
     */
 
   function is_https_on()
 
   {
 
       if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
 
       {
 
           return TRUE;
 
       }
 
           elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
 
       {
 
           return TRUE;
 
       }
 
       elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
 
       {
 
           return TRUE;
 
       }

 
       return FALSE;
 
   }
}

$protocol 'http://';
if ( 
is_https_on() && USE_HTTPS ) {
 
   $protocol 'https://';
}
// define protocol
define('PROTOCOL'$protocol); 

The check if the HTTP_HOST is within the allowed domains

PHP Code:
if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
 
   $_SERVER['HTTP_HOST'] = $default_domain;


The set a constant
PHP Code:
define('BASE_URL'PROTOCOL.$_SERVER['HTTP_HOST']); 

And in the config
PHP Code:
$config['base_url'] = BASE_URL

Spoofing the HTTP_HOST header will have no effect this way

Ok, Thanks a lot, will try this, andd report it back. Heart
(04-20-2017, 04:01 AM)Martin7483 Wrote: [ -> ]We use this in the index.php

PHP Code:
$default_domain 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');

if ( ! 
function_exists('is_https_on'))
{
 
   /**
     * Is HTTPS?
     *
     * Determines if the application is accessed via an encrypted
     * (HTTPS) connection.
     *
     * @return bool
     */
 
   function is_https_on()
 
   {
 
       if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
 
       {
 
           return TRUE;
 
       }
 
           elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
 
       {
 
           return TRUE;
 
       }
 
       elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
 
       {
 
           return TRUE;
 
       }

 
       return FALSE;
 
   }
}

$protocol 'http://';
if ( 
is_https_on() && USE_HTTPS ) {
 
   $protocol 'https://';
}
// define protocol
define('PROTOCOL'$protocol); 

The check if the HTTP_HOST is within the allowed domains

PHP Code:
if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
 
   $_SERVER['HTTP_HOST'] = $default_domain;


The set a constant
PHP Code:
define('BASE_URL'PROTOCOL.$_SERVER['HTTP_HOST']); 

And in the config
PHP Code:
$config['base_url'] = BASE_URL

Spoofing the HTTP_HOST header will have no effect this way

I'm sorry, the issue is solved, but the website is not diplayed, it keeps loading. But nothing happen, thanks anyway.
(04-20-2017, 08:43 AM)solasoli Wrote: [ -> ]I'm sorry, the issue is solved, but the website is not diplayed, it keeps loading. But nothing happen, thanks anyway.

What do you mean keeps loading? Does it keep redirecting in a loop?
(04-21-2017, 06:44 AM)Martin7483 Wrote: [ -> ]
(04-20-2017, 08:43 AM)solasoli Wrote: [ -> ]I'm sorry, the issue is solved, but the website is not diplayed, it keeps loading. But nothing happen, thanks anyway.

What do you mean keeps loading? Does it keep redirecting in a loop?

Yep, sorry english is not  my 1st languange.

Huh The thing is, your solution is working on curl, but not displayed in browser. Sad