Navigate back to the homepage

How to prevent host header injection in apache

Infinitbility
Apache
September 14th, 2021 · 1 min read
How to prevent host header injection in apache

Hello Friends 👋,

Welcome To Infinitbility! ❤️

This article will help you to test and solve host header injection but the below solution is only for apache users.

Table of content

  1. What is the host header

  2. How to test host header

  3. How to prevent host header injection in apache

Let’s start today’s tutorial How to prevent host header injection in apache.

What is the host header

A host header is used when several web applications are deployed on the same IP address. Host header specifies which web application will process incoming HTTP requests. The host header is set on the user end, hence the server needs either a strict whitelist of the hosts or we unset the host header from the apache configuration. A simple example of host header injection could be, is I’m using _SERVER[‘HOST’] in my code to fetch the relative file path.

1<script src="http://<?php echo _SERVER['HOST'] ?>"> </script>

How to test host header

To test host header injection you have to download Burp Suite Community Edition software, download from the below link.

https://portswigger.net/burp/communitydownload

After install burp,

  1. Open burp as a temporary project and go to the repeater tab.

  2. click on target and your domain 443 for HTTPS port.

  3. write-host in another domain like attacker.com and in Referer write your domain like the below example.

    1GET /assets HTTP/1.1
    2Host: now.com
    3User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0:
    4Accept: image/webp,*/*
    5Accept-Language: en-US,en;q=0.5
    6Accept-Encoding: gzip, deflate
    7Referer: https://yourdomain.com/
    8Cookie: Awsalb=svtfag%2fw2hflr9mt35pembbq4a7thq7reeboiu5%20w7tmx6kla%2fc9rlcoa0w%20cd%20anoknweepl7j%3aVdedaikqyhkgufy%20sqwnx2ygvxpsit02zesu9esnbwn2tdwk; Awsalbcors=sv tfag/w2hflr9mt35pembbq4a7thq7reeboiu5 w7tmx6kla/c9rlcoa0w cd anoknwee: Pl7jvdedaikqyhkgufy sqwnx2ygvxpsit02zesu9esnbwn2tdwk:
    9Sec-Fetch-Dest: image
    10Sec-Fetch-Mode: no-cors
    11Sec-Fetch-Site: same-origin
    12If-Modified-Since: Wed, 11 Aug 2021 08:14:20 GMT
    13If-None-Match: "5a7-5c94434982dac"
    14Cache-Control: max-age=0
  4. after press send button if you will get now.com in location like below example then you have host header issue.

Apache, host, header, Example

How to prevent host header injection in apache

To fix the host header injection we can unset the host header as follows:

1Header unset X-Forwarded-Host

Go to etc/apache2/site-available folder and edit your domain configuration file.

Header unset X-Forwarded-Host put this header in your site configuration and save your file.

After save restart your apache server.

Thanks for reading…

Join our email list and get notified about new content

No worries, I respect your privacy and I will never abuse your email.

Every week, on Tuesday, you will receive a list of free tutorials I made during the week (I write one every day) and news on other training products I create.

Looking For React Native Tutorial?

we are trying to create the best Tutorial for react native developers.

When you want a daily updates about React Native Tutorial or infinitbility update subscribe to our newsletter.

Read React Native Tutorial

Request New Tutorial or Article on mail [email protected]

Tutorials

React Native

Categories

More articles from Infinitbility

How to check password and confirm password in react native

How to check password and confirm password in react native

React Native password and confirm password validation example

September 12th, 2021 · 1 min read
How to check console.log in react native

How to check console.log in react native

React Native console.log example

September 11th, 2021 · 1 min read
© 2020–2021 Infinitbility
About
Link to $https://medium.com/infinitbilityLink to $https://www.facebook.com/InfinitbilityLink to $https://github.com/infinitbilityLink to $https://twitter.com/infinitbilityLink to $https://www.buymeacoffee.com/infinitbilityLink to $mailto:[email protected]