Host header can be spoofed

[pepve]

If we send an HTTP 1.0 request without a Host header we can add some spoof data to the request body. In the example vost is the host the service is running on, and spoof is the host the service thinks we sent.

curl -0X POST http://vost/ -H 'Host:' --data-binary $'\nHost: spoof\n'

We can also spoof with an HTTP 1.1 request by adding a header with spoof data before the Host header. In this example real is the host other services will think the request is for.

nc -q 1 vost 80 <<< $'GET / HTTP/1.1\r\nX-Spoof: \rHost: spoof\r\r\nHost: real\r\n\r\n'

[kommander]

Thank you very much for that remark. I just ask myself what effect that could have, if you spoof the host header to get the request forwarded to a service behind Vost, which would be reachable directly anyway? Then you can just send a request directly to that service on its real host with whatever data. If that request is not treated right or causes problems, that is not a flaw of Vost, but of the service.

[pepve]

First of all, it doesn't follow the HTTP spec. Vost will not behave like someone would expect an HTTP vhost proxy/load balancer to do.

Second, consider you're using vost internally, it's proxying to several web apps, some private and some public. And you have Apache facing the internet, reverse proxying some hosts (the public ones) to vost. I can now communicate with any of the private web apps...

[kommander]

In that case, that is an issue, true. Should be fixed to accomplish such a setup. Thanks for pointing that out.