NimbostratusIf attacker are using diff host header to have MITM attach with host header injection - something like below
curl -gv -k -H "Host:; ";;
If we want to match host header value with valid host name in the URL (eg. in this case), and then allow, would that be possible with iRule?
I'm not succesful to extract host name from the full URL so far :(
MVPHi f5rocks,
this is an awesome question and outlines a huge discrepancy between the HTTP/1.1 specification (see RFC7230 Section 5.4. last paragraph) vs. how Software Vendors are implementing their web servers.
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
https://tools.ietf.org/html/rfc7230page-44
Host of Troubles: Multiple Host Ambiguities in HTTPImplementations
https://www.icir.org/vern/papers/host-of-troubles.ccs16.pdf
To counter attacks using multiple HTTP-Headers (accoring to RFC7230) you may take a look to the iRule below.
Black-Listing request with multiple HOST-Headers
when HTTP_REQUEST {
if { [llength [HTTP::header values "Host"]] > 1 } then {
HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
} else {
Allow the request...
}
}
And to counter all remaining issues related to HOST-Headers use a white-listing of the combined HTTP-Host header values.
White-Listing based on combined HTTP-Host header values
when HTTP_REQUEST {
if { [string tolower [HTTP::header values "Host"]] eq "www.domain.de" } then {
Allow the request...
} else {
HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
}
}
Cheers, Kai