Open sveeke opened 5 years ago
Is it a question for server administration?
My understanding is that the "host" parameter of the request is not automatically accessed by the web server. Rather, the application code may use the "host" parameter to access a remote resource. So this would be application issue, not server administration issue.
Host validation on https://surf.stg.mqd.me is configured according to the manual https://docs.djangoproject.com/en/2.1/topics/security/#host-header-validation. But the specificity of the implementation of this in Django is the Header validation applies when the code accesses the Header "Host" directly from request.META. If the code doesn't use Header, nothing happens.
Yes, this is correct. If the code does not uses the value of Host header in request to perform any action, it is safe. Though, during the pentest we were able to receive a HTTP/DNS request with the Host header that we provided. This suggests that the application might be accepting the header and performing a DNS request.
If the code does not uses the header value anywhere, this can be considered as fixed.
@ggevorg can you check the following?
If the code does not uses the header value anywhere, this can be considered as fixed.
This code change/verification should be on the backend - the issue appears to be wrongly tagged as front-end. The HOST parameter is set by the attacker - the server backedn code needs to be reviewed to verify "if the code does not use the HOST header value anywhere".
Okay, I'll move it to the other repo then. Probably my bad!
It is possible to induce the application to perform server-side HTTP requests to arbitrary domains by modifying the
HOST header
value.The payload
qhbrdm23xln4g0zoujgrbilzbqhk5at3srie82x.burpcollaborator.net
was submitted in the SSL SNI value and the HTTP Host header. The application performed an HTTP request to the specified domain.External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server.Affected URL:
https://surf.stg.mqd.me/
HTTP Request
Impact
The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.
Recommendation
The application should block the outgoing requests to random servers on the internet. The application code should also validate the
Host header
before executing the request.