Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review: 4.8.18 Testing for Host Header Injection (OTG-INPVAL-018) #56

Closed
kingthorin opened this issue May 14, 2019 · 2 comments
Closed

Review: 4.8.18 Testing for Host Header Injection (OTG-INPVAL-018) #56

kingthorin opened this issue May 14, 2019 · 2 comments
Assignees
@ThunderSon
Labels
revise Needs quality review, updates, or revision
Milestone
v4.1: Update Exis...

Comments

@kingthorin
Copy link
Collaborator

kingthorin commented May 14, 2019
edited
Loading

In follow-up to: #49 there are some outstanding items to be addressed.

Source ref: https://github.com/OWASP/OWASP-Testing-Guide-v5/blob/master/document/4%20Web%20Application%20Security%20Testing/4.8%20Input%20Validation%20Testing/4.8.18%20Testing%20for%20Host%20Header%20Injection%20(OTG-INPVAL-018).md

First paragraph:

A web server commonly hosts several web application on the same IP address

applications plural (on the first occurrence)

referring to each applications via

application (singular here)

to the target virtual host of the value supplied in the Host header

to the target virtual host based on the value supplied in the Host header

For the whole second chunk of this paragraph:

"Without proper validation of the header value, the attacker can supply invalid input to cause the web server: to dispatch requests to the first virtual host on the list without proper validation of the HTTP request Host header value, cause a redirect to an attacker-controlled domain, perform web cache poisoning, or manipulate password reset functionality."

Second paragraph:

not to an internal virtual hosts that

host singular

Third section:

X-Forwarded Host header Bypass heading should be title caps Header.

Producing the following client-side output.

Potentially producing client-side output such as:
@kingthorin kingthorin added revise Needs quality review, updates, or revision good first issue help wanted labels May 14, 2019
@ricsirigu ricsirigu mentioned this issue May 29, 2019
Merged
2 tasks
@ThunderSon
Copy link
Collaborator

I'll be doing another review on this testing scenario later on and then we can close this issue.

@ThunderSon ThunderSon added the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Sep 30, 2019
@kingthorin kingthorin removed the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Nov 4, 2019
@kingthorin
Copy link
Collaborator Author

All the items in the original ticket were addressed in #61

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ThunderSon ThunderSon

Labels
revise Needs quality review, updates, or revision
Projects
None yet
Milestone
v4.1: Update Existing
Development

No branches or pull requests
3 participants
@kingthorin @victoriadrake @ThunderSon