Responses in-line. Thanks!
> I'm thinking in order to determine if HTTP host header can be exploited,
we
> would need to:
> A) determine if SERVER_NAME, HTTP_HOST, or both have values
> B) verify the URI to see if the SERVER_NAME and HTTP_HOST match?
> C) Determine if there are wildcard entries for SERVER_NAME
> Lets move one step back, what do you mean by SERVER_NAME?
SERVER_NAME would be the server included in the POST command?
i.e. POST https://addons.mozilla.org/en-US
So maybe send a POST with the valid server_name but with a random HOST
header and see if a response is returned? If so, I guess this can be
exploited?
> Also, is HTTP_HOST the host header send in a request? If so, we
control that and we can set it or not.
Yes, I was referring to the malicious host also sent in a request.
> I believe a curl request can be created to verify the above?
Lets forget about the how for a while, first lets understand the
problem and the algorithm to identify it,
> I apologize if this is not the right solution, but would appreciate any
> assistance. Thanks!
No reason to apologize! We all need to learn about these new
vulnerabilities,
PD: Can we take this conversation back to w3af-develop ?
On Thu, May 16, 2013 at 12:02 PM, Andres Riancho
<andres.rian...@gmail.com>wrote:
> Vint,
>
> Answers inline,
>
> On Thu, May 16, 2013 at 12:27 PM, Vint Surf <vints...@gmail.com> wrote:
> > Hi Andres,
> >
> > Hope you're doing well! I wanted to send over a quick e-mail to see if
> I am
> > on the right track with the HTTP host header attacks.
> >
> > So after reading the article from Skeleton Scribe, it seems as though
> issues
> > can occur if there are multiple HTTP_Host headers or if the HTTP_Host
> header
> > and SERVER_NAME do not match.
> >
> > I'm thinking in order to determine if HTTP host header can be exploited,
> we
> > would need to:
> > A) determine if SERVER_NAME, HTTP_HOST, or both have values
> > B) verify the URI to see if the SERVER_NAME and HTTP_HOST match?
> > C) Determine if there are wildcard entries for SERVER_NAME
>
> Lets move one step back, what do you mean by SERVER_NAME?
>
> Also, is HTTP_HOST the host header send in a request? If so, we
> control that and we can set it or not.
>
> > I believe a curl request can be created to verify the above?
>
> > Lets forget about the how for a while, first lets understand the
> problem and the algorithm to identify it,
> I apologize if this is not the right solution, but would appreciate any
> > assistance. Thanks!
>
> No reason to apologize! We all need to learn about these new
> vulnerabilities,
>
> PD: Can we take this conversation back to w3af-develop ?
>
> >
> > On Wed, May 15, 2013 at 11:00 AM, Vint Surf <vints...@gmail.com> wrote:
> >>
> >> Sorry for the delay....I will be reviewing the materials today and will
> be
> >> in touch shortly regarding potential solutions in "human terms" for the
> http
> >> host header attacks.
> >>
> >>
> >> On Sat, May 11, 2013 at 11:35 AM, Andres Riancho
> >> <andres.rian...@gmail.com> wrote:
> >>>
> >>> On Sat, May 11, 2013 at 4:59 AM, Achim Hoffmann <webse...@sic-sec.org>
> >>> wrote:
> >>> > Hi Andrés,
> >>> >
> >>> > Am 10.05.2013 23:34, schrieb Andres Riancho:
> >>> >> for mutant in mutants:
> >>> >> mutant.set_mod_value(value1)
> >>> >> response1 = send_mutant(mutant)
> >>> >>
> >>> >> mutant.set_mod_value(value2)
> >>> >> response3 = send_mutant(mutant)
> >>> >>
> >>> >> mutant.set_mod_value(value3)
> >>> >> response3 = send_mutant(mutant)
> >>> >> ```
> >>> >>
> >>> >> Which in human would say... create empty mutants for each parameter,
> >>> >> then, for each mutant set the values, send the requests and save the
> >>> >> responses.
> >>> >
> >>> > if that's the way to do it in w3af, it's ok. I don't see a problem
> >>> > then.
> >>> > I'm a bad -very bad- python programmer, hence will leave that to
> >>> > experts ;-)
> >>>
> >>> D M will be doing that, your list will help him understand what to do,
> >>>
> >>> > Anyway, you still have in mind that it's about the Host HTTP header?
> >>>
> >>> Now that you mention it, it is possible that this won't work with the
> >>> Host header.
> >>>
> >>> > Can w3af easily manipulate that header, even in the way you described
> >>> > above,
> >>> > and are there no libs/APIs/whatever used, which set their own header?
> >>> > I just remind that, 'cause I know from other languages/frameworks
> that
> >>> > it is
> >>> > very difficult to write code against the standard.
> >>>
> >>> We'll find a different way to do it, not with create_mutants, but
> >>> we'll find a way.
> >>>
> >>> Regards,
> >>>
> >>> >
> >>> > List is comming soon ...
> >>> > Achim
> >>>
> >>>
> >>>
> >>> --
> >>> Andrés Riancho
> >>> Project Leader at w3af - http://w3af.org/
> >>> Web Application Attack and Audit Framework
> >>> Twitter: @w3af
> >>> GPG: 0x93C344F3
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Learn Graph Databases - Download FREE O'Reilly Book
> >>> "Graph Databases" is the definitive new guide to graph databases and
> >>> their applications. This 200-page book is written by three acclaimed
> >>> leaders in the field. The early access version is available now.
> >>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> >>> _______________________________________________
> >>> W3af-develop mailing list
> >>> W3af-develop@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >>
> >>
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
>
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
