Date: 2018-03-06 14:32:51
Author: Bay0net
0x01, Preface
In general, several websites may be placed on the same server, or several systems share a web server, host should be designated by the head which website or web system to handle user requests.
0x02, password reset vulnerability
#!php
$user -> hash = random::hash() ;
$message -> confirm_url = url::abs_site("password/do_reset?key=$user->hash") ;
Vulnerability exists in url::abs_site
Host header This section uses a request from the user to reset the password, so an attacker can attack
- An attacker sends a password reset with a first type of host to the attacker-controlled server
- When the server generates a password reset key, the attacker will also host manipulated into the password reset link.
- If the user clicks on a link to reset the password, the attacker can get the password reset key, so as to reset user passwords.
0x03, cache pollution
Varnish is requested by the host header of the first to arrive to identify the host,
the Apache is to look at all host requests,
Nginx just look at the last request of the host.
Attack
GET / HTTP/1.1
Host: example.com
Host: alert(xss)
This method can use the above to cheat Varnish, the purpose of pollution.
The attacker submits a request above, the server will cache data into the cache, and then when someone visited example.com, the server will alert(xss)be returned to the user.
0x04, rehabilitation program
In host server judgment value, the white list, not directly in the whitelist 403