Closed event15 closed 5 years ago
You can set trusted hosts to prevent header injection attacks:
Request::setTrustedHosts([
'^(.+\.)?example\.com$',
'^(.+\.)?example\.org$',
]);
Another way to mitigate this, if you serve your Laravel application with Nginx is to listen only to those valid domains and send an empty response for invalid ones:
Unknown hosts:
server {
listen 80;
server_name _;
return 444;
}
All valid hosts:
server {
listen 80;
server_name .example.net .example.com;
...
}
Also if you define your routes within a domain group you can also be safe:
Route::domain('example.com')->group(function () {
...
});
Thanks!
You can set trusted hosts to prevent header injection attacks:
Request::setTrustedHosts([ '^(.+\.)?example\.com$', '^(.+\.)?example\.org$', ]);
Excuse me @bonzai could you point where to put this? Thanks.
You also can filter each request in the AppServiceProvider boot method for the valid host.
$appUrl = env('APP_URL');
$appUrls = explode("//", $appUrl ?? '');
$allowedHosts = [$appUrl, $appUrls[1]];
$currentHost = request()->getHttpHost();
if (!in_array($currentHost, $allowedHosts))
{
abort(404);
}
Description:
If the user sends a query with the manually set X-Forwarded-Host header, then the route() function will return an array with the key "host" with the changed address. This may be a security problem - when I use route('my/page/url') in setAction() in any Form Builder (symfony form, laravel FormFactory etc.), then action attribute can be overridden by the attacker's domain.
Steps To Reproduce:
The action url is is overwritten. All data is correct except host.
Good to read
https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/