Create 4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md #49
Conversation
|
|
||
| # How to Test | ||
|
|
||
| Initial testing is as simple as supplying another domain (i.e. attacker.com) into the Host Header field. It is how the web server processes the header value that dictates the impact. |
There was a problem hiding this comment.
As I have read a lot on this matter, this is normal behavior that occurs with virtual hosts as the Host header is used to redirect the users to the vHosts. Don't you think that there should be a clarification on to where this attack is valid? I'm afraid this will entice people to simply send bug reports with Host Header attacks that have no relevant impact and are acting as should.
There was a problem hiding this comment.
the Host Header field
I'd suggest "the Host header field" (drop the capital on header....throughout the doc, unless it's starting a sentence of course.)
There was a problem hiding this comment.
Ah very true. Going to provide additional clarification. Also, i'll drop the capital letter 👍
There was a problem hiding this comment.
Changes have been made :)
There was a problem hiding this comment.
Please review this and let me know if this is adequate, I think i provided a right clarification. Let me know or add whatever you feel is correct.
...ng/4.8 Input Validation Testing/4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md
Show resolved
Hide resolved
| @@ -0,0 +1,84 @@ | |||
| # Summary | |||
|
|
|||
| A web server commonly hosts several web application on the same IP address, referring to each application as a virtual host. In an incoming HTTP request, web servers often dispatch the request to the target virtual host of the value supplied in the Host Header. Without proper validation of the header value, the attacker can supply invalid input to cause the web server to dispatch requests to the first virtual host on the list, cause a 302 redirect to an attacker-controlled domain, perform web cache poisoning, or manipulate password reset functionality. | |||
There was a problem hiding this comment.
several web application
Let's make that applications (plural).
application as a virtual host
Maybe replace as a with via.
Without proper validation of the header value
How about "Without proper validation of the HTTP request Host header value.
input to cause the web server to dispatch requests
I'd suggest adding a colon before the list of potential issues otherwise the sentence runs-on. "...input to cause the web server: To dispatch requests..."
There was a problem hiding this comment.
Changes have been made :)
There was a problem hiding this comment.
The first suggestion was applied to the second application, not the first.
...ng/4.8 Input Validation Testing/4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md
Outdated
Show resolved
Hide resolved
|
|
||
| # How to Test | ||
|
|
||
| Initial testing is as simple as supplying another domain (i.e. attacker.com) into the Host Header field. It is how the web server processes the header value that dictates the impact. |
There was a problem hiding this comment.
the Host Header field
I'd suggest "the Host header field" (drop the capital on header....throughout the doc, unless it's starting a sentence of course.)
...ng/4.8 Input Validation Testing/4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md
Show resolved
Hide resolved
...ng/4.8 Input Validation Testing/4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md
Outdated
Show resolved
Hide resolved
...ng/4.8 Input Validation Testing/4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md
Outdated
Show resolved
Hide resolved
...ng/4.8 Input Validation Testing/4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md
Outdated
Show resolved
Hide resolved
...ng/4.8 Input Validation Testing/4.8.18 Testing for Host Header Injection (OTG-INPVAL-018).md
Outdated
Show resolved
Hide resolved
|
@markclayton Hello. Any updates on the above? |
|
Hi! Sorry not yet, things have been insane at work here lately. I should have it all knocked out EOD today though. Thanks for the bump. |
|
No rush! Was just making sure you're still after it. No worries 😄 |
addresses multiple revision recommendations. Thanks guys for the review, continue to suggest edits as needed.
|
Sorry for the late response guys! I finally found an opening to make the necessary changes. Please review and continue to provide recommendation and corrections 👍 |
Closes issue #48