Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-Forwarded-Host Header Manipulation #269

Open
ahpaleus opened this issue Sep 19, 2023 · 0 comments
Open

X-Forwarded-Host Header Manipulation #269

ahpaleus opened this issue Sep 19, 2023 · 0 comments
Assignees
@greenpau
Labels
security

Comments

@ahpaleus
Copy link

ahpaleus commented Sep 19, 2023
edited
Loading

Severity: Medium

The caddy-security plugin processes the X-Forwarded-Host header, which could lead to various security vulnerabilities (web cache poisoning, business logic flaws, routing-based server-side request forgery [SSRF], and classic server-side vulnerabilities). Additionally, the caddy-security plugin generates QR codes based on this header, which extends the attack surface.

Injecting host override header:

GET /admin/logout HTTP/2
Host: portal.caddysecurity.network
X-Forwarded-Host: portal.caddysecurity.network.evil.domain
HTTP/2 302 Found
Cache-Control: no-store
Location: https://portal.caddysecurity.network.evil.domain/admin/login
Pragma: no-cache
Server: Fly/a0b91024 (2023-06-13)
Set-Cookie: AUTHP_SESSION_ID=v14BZF1mtU6iAVYAMMDPROWMZy2pfmrpad7xUbZhP; Domain=caddysecurity.network; Path=/; Secure; HttpOnly;
Set-Cookie: access_token=delete; Domain=caddysecurity.network; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Set-Cookie: AUTHP_REDIRECT_URL=delete; Domain=caddysecurity.network; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Set-Cookie: AUTHP_SESSION_ID=delete; Domain=caddysecurity.network; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Date: Wed, 19 Jul 2023 08:12:13 GMT
Content-Length: 0

For example:

By manipulating X-Forwarded-related headers, we can manipulate the PNG outcome:

GET /qrcode/ HTTP/2
Host: portal.caddysecurity.network
Cookie: AUTHP_SESSION_ID=<redacted>; access_token=<redacted>
X-Forwarded-Host: test123test123
Content-Length: 2
HTTP/2 200 OK
Content-Type: image/png
Server: Fly/a0b91024 (2023-06-13)
Date: Fri, 21 Jul 2023 13:59:13 GMT
Content-Length: 474

�PNG
// (...)

image

To mitigate this issue, do not rely on the Host and X-Forwarded-Host headers in the caddy-security plugin logic. Instead, use the current domain manually specified in the configuration file to generate a QR code.

In addition, we recommend the following:

  • Use Burp Suite Professional with the Param Miner extension to identify the processing of hidden headers.
  • Extend the caddy-security documentation to increase user awareness of the HTTP Host header attacks.

More information about our Caddy Security public disclosure:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @ahpaleus