SlideShare a Scribd company logo

Host Header injection - Slides

Download as PPTX, PDF
A
Amit Dubey

Host header injection is a high severity web security vulnerability that allows attackers to spoof the domain name of a website by manipulating the HTTP "Host" header. This can enable password reset poisoning, web cache poisoning, cross-site scripting, and access to internal hosts. Mitigation techniques include validating the Host header matches the target domain, creating a dummy virtual host to catch invalid headers, whitelisting trusted domains, and disabling support for X-Forwarded-Host headers.

Technology
Related topics:
Information Security
1 of 7
Downloaded 21 times
1
2
Most read
3
4
Most read
5
Most read
6
7
HOST HEADER INJECTION Presenter : Amit Dubey
What are HTTP HEADER? • Request and Response • Carries Information • Browser Request • Server Response • HTTP Header : HOST
What is Host Header Injection ? ■ But what happens if we specify an invalid Host Header ? ■ Original Request – ■ Edited Request –
Impacts - SEVERITY : HIGH ■ Web Cache Poisoning ■ Password Reset Poisoning ■ Cross Site Scripting ■ Access to internal hosts
Bypasses- ■ Multiple Host Headers ■ X-Forwarded-Host
Mitigation - ■ Reject any request that doesn’t match target domain ■ Validating Host header to ensure that the request is originating from that target host or not. ■ Creating an dummy virtual host that catches all requests with unrecognized Host headers. ■ By creating a whitelist of trusted domains. ■ Disable support for X-Forwarded-Host
QUESTION ? ~~~~~~~~~Thank you ~~~~~~~~~

More Related Content

PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PDF
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PPT
Cross Site Request Forgery
Tony Bibbs
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
PPT
Xss ppt
chanakyac1
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
PPTX
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Attacking thru HTTP Host header
Sergey Belov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Cross Site Request Forgery
Tony Bibbs
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Xss ppt
chanakyac1
 
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
SSRF exploit the trust relationship
n|u - The Open Security Community
 

What's hot (20)

PPTX
Understanding Cross-site Request Forgery
Daniel Miessler
 
PDF
Ch 10: Hacking Web Servers
Sam Bowne
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PPTX
Ssrf
Ilan Mindel
 
PPTX
File inclusion
AaftabKhan14
 
PDF
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
PPTX
HTTP HOST header attacks
DefconRussia
 
PDF
Introduction to Web Application Penetration Testing
Netsparker
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PPTX
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
PDF
HTTP Request Smuggling via higher HTTP versions
neexemil
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PPTX
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
PPT
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PDF
Web Application Penetration Testing
Priyanka Aash
 
PPTX
Sql injections - with example
Prateek Chauhan
 
Understanding Cross-site Request Forgery
Daniel Miessler
 
Ch 10: Hacking Web Servers
Sam Bowne
 
Windows Threat Hunting
GIBIN JOHN
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Ssrf
Ilan Mindel
 
File inclusion
AaftabKhan14
 
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
HTTP HOST header attacks
DefconRussia
 
Introduction to Web Application Penetration Testing
Netsparker
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Web Application Penetration Testing
Priyanka Aash
 
Sql injections - with example
Prateek Chauhan
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Ad

Host Header injection - Slides

  • 2. What are HTTP HEADER? • Request and Response • Carries Information • Browser Request • Server Response • HTTP Header : HOST
  • 3. What is Host Header Injection ? ■ But what happens if we specify an invalid Host Header ? ■ Original Request – ■ Edited Request –
  • 4. Impacts - SEVERITY : HIGH ■ Web Cache Poisoning ■ Password Reset Poisoning ■ Cross Site Scripting ■ Access to internal hosts
  • 5. Bypasses- ■ Multiple Host Headers ■ X-Forwarded-Host
  • 6. Mitigation - ■ Reject any request that doesn’t match target domain ■ Validating Host header to ensure that the request is originating from that target host or not. ■ Creating an dummy virtual host that catches all requests with unrecognized Host headers. ■ By creating a whitelist of trusted domains. ■ Disable support for X-Forwarded-Host