Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.3.3, 3.3.4
-
None
-
None
Description
Description
In many cases, developers trust the HTTP Host header value to generate links, import scripts and even generate password reset links. This implementation can be abused because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails.
Affected API:
http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=OPEN
other APIs that allow redirect is also affected by this issue.
Risk Assessment
It is possible for a remote attacker to inject custom value into host header and can force application to redirect legitimate users to a web page or domain that he/she controls. The user may be presented with a look alike phishing page of the application using which the attacker can upload or can execute malicious content in user's client.
Fix Recommendation
The web application should validate whether the host header value is same as that of the domain serving the request. It should also create a dummy vhost that catches all requests with unrecognized Host headers.
Steps to reproduce:
- Capture the API request using an interceptor and replace the value of host header with the attackers web server.
- Now forward the edited request and it is observed that API is getting redirected to attacker supplied URL in host header.
