堆栈内存溢出
  简体   繁体   English

如何利用HTTP“Host”头XSS漏洞?

[英]How to exploit HTTP "Host" header XSS vulnerability?

 原文  2016-09-16 16:58:41       http/ http-headers/ xss

问题描述

Follow up question of How to exploit HTTP header XSS vulnerability?后续问题如何利用HTTP header XSS漏洞?

Let's say that a page is just printing the value of the HTTP 'Host' header with no escaping.假设页面只是打印 HTTP 'Host' 标头的值而没有转义。 So the page is vulnerable to an XSS attack, ie an attacker can craft a GET request with a 'Host' header containing something like alert('xss');.因此该页面容易受到 XSS 攻击,即攻击者可以使用包含 alert('xss'); 之类的内容的“Host”标头制作 GET 请求。

But how can you actually use this to attack a target?但是你怎么能真正使用它来攻击目标呢? How can the attacker make the target issue that specific request with that specific header?攻击者如何使用该特定标头使目标发出特定请求?

1 个解决方案

解决方案1
 2 已采纳  2016-09-16 17:05:55

The http Host header is basically use as a string to figure out which of (potentially many) named-based hosts in the server configuration should be used to serve up the request. http Host 标头基本上用作字符串来确定应该使用服务器配置中的哪些(可能是许多)基于命名的主机来提供请求。

Let's say you forged up an HTTP request and got this header sent over:假设您伪造了一个 HTTP 请求并发送了此标头:

Host: <script>alert('foo');</script>.example.com

The ONLY way this could get through to the PHP script you want to attack is if the webmaster configured the server and site definition to allow that explicit hostname, or has wildcard naming in place, eg这可以通过您想要攻击的 PHP 脚本的唯一方法是,如果网站管理员配置了服务器和站点定义以允许该显式主机名,或者使用通配符命名,例如

<VirtualHost ...
    ServerName www.example.com
    ServerAlias *.example.com
</VirtualHost>

Since the wildcard allows ANYTHING before .example.com , your JS-hostname would get through.由于通配符允许.example.com之前的任何内容,因此您的 JS 主机.example.com通过。

But a vhost configured like this:但是这样配置的虚拟主机:

<Virtualhost ...>
    Servername www.example.com
    ServerAlias web.example.com
</Virtualhost

would not be vulnerable, because the Host name you've provided is not matched by ANY of the configured hostnames.不会受到攻击,因为您提供的主机名与任何配置的主机名都不匹配。 The request may be handled by some other catch-all vhost, but since your vulnerable script doesn't exist on that site, that's useless to you.该请求可能由其他一些全能虚拟主机处理,但由于该站点上不存在易受攻击的脚本,因此对您毫无用处。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何利用HTTP header XSS漏洞? - How to exploit HTTP header XSS vulnerability? 如何在golang的url中为http标头中的host设置不同的值 - how to set different value for host in http header with host in url in golang 什么是 HTTP“主机”标头? - What is HTTP “Host” header? DNS和Http HOST标头问题 - DNS and Http HOST header issue Unicode HTTP主机:标头字段? - Unicode HTTP Host: Header Field? 如何强制浏览器http请求中包含的“主机”标头 - How to force “host” header included in the browser http request 标头错误中的 HTTP 主机属性(主机属性) - HTTP host property in header error (host property ) 什么是http-header “X-XSS-Protection”? - What is the http-header “X-XSS-Protection”? 如何在Go或node.js中接受没有http版本和主机标头的http请求? - How to accept http request without http version and host header in Go or node.js? HTTP:主机头字段中是否允许IP地址? - HTTP: Is an IP address allowed in the host header field?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM