Removing port from Host header

[henshin]

During recent tests, we've noticed that some WAFs or load balancers block requests which have the port specified on the Host header. Example:
Host: targetsite.com:443
This change modifies the Host header to remove the port part.

[sullo]

According to RFC 2068 which defines the Host header, it's appropriate to have a port in the Host header field: Host = "Host" ":" host [ ":" port ]

And further

A "host" without any trailing port information implies the default port for the service requested (e.g., "80" for an HTTP URL).

So I think if a WAF/LB is blocking requests with a port it's violating the RFC.

That said, it doesn't surprise me. I did some testing with browsers the default port is not included, but anything else (e.g., example.com:8080) will include the port in the header. So this change will probably break anything not on 80/443.

Best solution will be to modify LibWhisker (where I think it's set) and not add it for default port/scheme combinations.

[henshin]

Hi sullo,

Thanks for the feedback.
Yes, it seems that it has rules that violate the RFC, i've seen other cases too... Me and my colleagues were trying to modify Nikto to run against these WAFs but they are really sensible and block a lot of stuff....
In any case, we're talking about the VHOST, not the host itself, meaning that it's possible to connect to any IP and any port and specify a different host on the Host header (with or without port) and it's still a valid request.
Anyway I totally understand if you don't accept the merge. It's probably best to keep a separate Nikto modified to scan these kind of WAFs in the future

[sullo]

I looked in LibWhisker and see the code that adds the host header doesn't if it's http/80 or https/443. I did some testing in burp and don't see Nikto sending it. Do you have a capture (output with -D D perahps) which shows this behavior?

[henshin]

Sure, check this out:

root@kali-ts:~# nikto -D D -h https://www.google.com 
- Nikto v2.1.6
---------------------------------------------------------------------------
D:Sat Dec 27 04:16:39 2014 'Request Hash' = {
        'Connection' => 'Keep-Alive',
        'whisker' => {
                'protocol' => 'HTTP',
                'require_newline_after_headers' => 0,
                'lowercase_incoming_headers' => 1,
                'uri_prefix' => '',
                'ssl_save_info' => 1,
                'http_space2' => ' ',
                'ssl_rsacertfile' => undef,
                'uri_param_sep' => '?',
                'timeout' => 10,
                'http_space1' => ' ',
                'method' => 'HEAD',
                'force_open' => 0,
                'include_host_in_uri' => 0,
                'ignore_duplicate_headers' => 1,
                'uri_postfix' => '',
                'keep-alive' => 1,
                'ssl' => 1,
                'version' => '1.1',
                'ssl_certfile' => undef,
                'port' => 443,
                'uri' => '/',
                'host' => 'www.google.com',
                'retry' => 0,
                'normalize_incoming_headers' => 1,
                'invalid_protocol_return_value' => 1,
                'force_bodysnatch' => 0,
                'MAGIC' => 31339,
                'max_size' => 0,
                'trailing_slurp' => 0,
                'force_close' => 0,
                'http_eol' => "\r\n"
        },
        'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)',
        'Host' => 'www.google.com:443'
};

Notice the Host header outside Whisker. That's the one being used as the VHOST.
Let me know if you need any other info

[sullo]

I've committed a change in place of this, which corrects a logic error in LibWhisker which was causing the port to be incorrectly added when the port was 443 and it was SSL, so I'm going to close this one umerged. Thanks for bringing this to our attention!

a884be7

[henshin]

No problem, glad to contribute

[ghost]

Hi,

and thanks for this fix. I had noticed the same some weeks ago and was happy to find a solution for this in here.