Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-16741

Validate host header value to prevent host header injection



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.3.3, 3.3.4
    • None
    • webhdfs
    • None



      In many cases, developers trust the HTTP Host header value to generate links, import scripts and even generate password reset links. This implementation can be abused because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails.

      Affected API:
       other APIs that allow redirect is also affected by this issue.

      Risk Assessment

      It is possible for a remote attacker to inject custom value into host header and can force application to redirect legitimate users to a web page or domain that he/she controls. The user may be presented with a look alike phishing page of the application using which the attacker can upload or can execute malicious content in user's client.

      Fix Recommendation

      The web application should validate whether the host header value is same as that of the domain serving the request. It should also create a dummy vhost that catches all requests with unrecognized Host headers.

      Steps to reproduce:

      1. Capture the API request using an interceptor and replace the value of host header with the attackers web server.
      2. Now forward the edited request and it is observed that API is getting redirected to attacker supplied URL in host header.


        1. host header injection issue.png
          706 kB
          Evelyn Liang



            Unassigned Unassigned
            evelyn.yuliang Evelyn Liang
            0 Vote for this issue
            1 Start watching this issue