CodeIgniter Forums
Host Header Attack - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Host Header Attack (/showthread.php?tid=67878)

Host Header Attack - solasoli - 04-20-2017

   
Hi guys, i got this issue from IT-Sec, i have read and search thouroghly but i still can't find any actual solution to fix this issue.

Here it is.

Quote:
Quote:"HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels. Pentester try to request with modify header host. and the response result showing with the modify host header. affected files:
Quote:
  1. app/formulir
  2. app/kompensasi
  3. app/panduan-agen
  4. app/produk-dan-layanan
  5. app/tentang
  6. app/tentang-
  7. app/training
The impact of this vulnerability An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways."

Recommended solution thus far is :

Quote:The web application should use the SERVER_NAME instead of the Host header

This app are running on xampp with reverse proxy setting for testing. I already do 3 changes to config.php, but the issue is still there. Here is the code.

1.
PHP Code:
if(isset($_SERVER[SERVER_NAME])) { 
$config['base_url'] = isset($_SERVER['HTTPS']) &&  strtolower($_SERVER['HTTPS']) == 'on' 'https' 'http';
$config['base_url'] = '://'$_SERVER['SERVER_NAME'];
$config['base_url'] = str_replace(basename($_SERVER['SCRIPT_NAME']), ''$_SERVER['SCRIPT_NAME']);
}
else{
$config['base_url'] = '';


2.
Quote:
Code:
$config['base_url'] = 'http://$_SERVER[SERVER_NAME]';

PHP Code:
$config['base_url'] = 'https://jktdc.*********.com/app' 

What im asking is, how/where/what exactly i have to change/add to fix this issue. [b]Thanks a lot.

PS : the response header is on the attachment.[/b]

RE: Host Header Attack - Martin7483 - 04-20-2017

We use this in the index.php

PHP Code:
$default_domain 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');

if ( ! function_exists('is_https_on'))
{
    /**
     * Is HTTPS?
     *
     * Determines if the application is accessed via an encrypted
     * (HTTPS) connection.
     *
     * @return bool
     */
    function is_https_on()
    {
        if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
        {
            return TRUE;
        }
            elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
        {
            return TRUE;
        }
        elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
        {
            return TRUE;
        }

        return FALSE;
    }
}

$protocol 'http://';
if ( is_https_on() && USE_HTTPS ) {
    $protocol 'https://';
}
// define protocol
define('PROTOCOL'$protocol); 

The check if the HTTP_HOST is within the allowed domains

PHP Code:
if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
    $_SERVER['HTTP_HOST'] = $default_domain;


The set a constant
PHP Code:
define('BASE_URL'PROTOCOL.$_SERVER['HTTP_HOST']); 

And in the config
PHP Code:
$config['base_url'] = BASE_URL

Spoofing the HTTP_HOST header will have no effect this way

RE: Host Header Attack - solasoli - 04-20-2017

(04-20-2017, 03:01 AM)Martin7483 Wrote: We use this in the index.php

PHP Code:
$default_domain 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');

if ( ! function_exists('is_https_on'))
{
    /**
     * Is HTTPS?
     *
     * Determines if the application is accessed via an encrypted
     * (HTTPS) connection.
     *
     * @return bool
     */
    function is_https_on()
    {
        if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
        {
            return TRUE;
        }
            elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
        {
            return TRUE;
        }
        elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
        {
            return TRUE;
        }

        return FALSE;
    }
}

$protocol 'http://';
if ( is_https_on() && USE_HTTPS ) {
    $protocol 'https://';
}
// define protocol
define('PROTOCOL'$protocol); 

The check if the HTTP_HOST is within the allowed domains

PHP Code:
if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
    $_SERVER['HTTP_HOST'] = $default_domain;


The set a constant
PHP Code:
define('BASE_URL'PROTOCOL.$_SERVER['HTTP_HOST']); 

And in the config
PHP Code:
$config['base_url'] = BASE_URL

Spoofing the HTTP_HOST header will have no effect this way

Ok, Thanks a lot, will try this, andd report it back. Heart

RE: Host Header Attack - solasoli - 04-20-2017

(04-20-2017, 03:01 AM)Martin7483 Wrote: We use this in the index.php

PHP Code:
$default_domain 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');

if ( ! function_exists('is_https_on'))
{
    /**
     * Is HTTPS?
     *
     * Determines if the application is accessed via an encrypted
     * (HTTPS) connection.
     *
     * @return bool
     */
    function is_https_on()
    {
        if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
        {
            return TRUE;
        }
            elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
        {
            return TRUE;
        }
        elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
        {
            return TRUE;
        }

        return FALSE;
    }
}

$protocol 'http://';
if ( is_https_on() && USE_HTTPS ) {
    $protocol 'https://';
}
// define protocol
define('PROTOCOL'$protocol); 

The check if the HTTP_HOST is within the allowed domains

PHP Code:
if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
    $_SERVER['HTTP_HOST'] = $default_domain;


The set a constant
PHP Code:
define('BASE_URL'PROTOCOL.$_SERVER['HTTP_HOST']); 

And in the config
PHP Code:
$config['base_url'] = BASE_URL

Spoofing the HTTP_HOST header will have no effect this way

I'm sorry, the issue is solved, but the website is not diplayed, it keeps loading. But nothing happen, thanks anyway.

RE: Host Header Attack - Martin7483 - 04-21-2017

(04-20-2017, 07:43 AM)solasoli Wrote: I'm sorry, the issue is solved, but the website is not diplayed, it keeps loading. But nothing happen, thanks anyway.

What do you mean keeps loading? Does it keep redirecting in a loop?

RE: Host Header Attack - solasoli - 04-21-2017

(04-21-2017, 05:44 AM)Martin7483 Wrote:
(04-20-2017, 07:43 AM)solasoli Wrote: I'm sorry, the issue is solved, but the website is not diplayed, it keeps loading. But nothing happen, thanks anyway.

What do you mean keeps loading? Does it keep redirecting in a loop?

Yep, sorry english is not  my 1st languange.

Huh The thing is, your solution is working on curl, but not displayed in browser. Sad