Skip to main content

Lack of data validation - Host Header Injection

Description

The application allows to manipulate the host header which may lead to unintended redirects to malicious websites.

Impact

Redirect the user to harfmful websites.

Recommendation

Validate the host header against a whitelist of trusty domains.

Threat

Anonymous attacker from adjacent network.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: H
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:H/RL:U/RC:C
  • Score:
    • Base: 3.7
    • Temporal: 3.7
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The application uses user input after validating it on the server side

var http = require('http');
const { validateHeaderName } = require('http');

const signinHandler = (req, res) => {
try {
validateHeaderName(req.header.name, whitelist);
// Do data manipulation
} catch (err) {
err instanceof TypeError; // true
return err.message;
}
}

Non compliant code

The application uses user input without server side validation

const signinHandler = (req, res) => {
//Do data manipulation without validating the header request against a whitelist
}

Requirements