How to Address Host Header Injection Vulnerabilities in Nodegrid

Understanding Host Header Injection

What is Host Header Injection?

Host Header Injection occurs when an attacker manipulates the Host header of a server in an HTTP request to redirect the server’s behavior. The Host header specifies the domain name or IP address of the Nodegrid server you intend to interact with and is typically set by your browser based on the URL you enter. For example, when you visit testwebsite.com, the Host header is automatically set to testwebsite.com. However, attackers can intercept and alter this header to send requests to an unintended server or manipulate the behavior of the target server. This type of attack can be performed using various tools designed for modifying HTTP requests.

How does Host Header Injection happen?

When you enter a Nodegrid URL or IP address in your web browser, for example, 192.0.2.0, the browser sends an HTTP request with the Host header set to the specified address. The Nodegrid server uses this header to identify and serve the requested resource. An attacker can intercept this HTTP request and manually change the Host header to point to a different server, such as maliciouswebsite.com. As a result, instead of interacting with the intended server, the request gets redirected or processed by another server.

For example:

Intended request: GET / HTTP/1.1\ Host: 192.0.20.0\

Manipulated request: GET / HTTP/1.1\ Host: maliciouswebsite.com\

If the server does not properly validate the Host header, it may redirect the user to the attacker’s server or execute unintended server-side actions based on the injected header.

Note: For a Nodegrid device, even if an attacker injects the header with malicious code, they cannot gain significant access because they still need to authenticate by logging into the application. However, they can cause minor disruptions to the login page's functionality or appearance.

How to prevent Host Header Injection?

There are two ways using which you can prevent the Host Header Injection:

• Manually adding a host into whitelist (recommended)

• Disabling DirectorySlash

Manually adding a host into whitelist (recommended)

Apache is the software that runs the server. To configure it for a specific IP address, which acts as the unique identifier for connecting to the host, you need to update the Nodegrid configuration files. This involves modifying three specific files listen.conf, httpd-ssl.conf (for HTTPS requests), and httpd.conf. You can set up hosting rules and customize the IP address or DNS used to access the Nodegrid device. This will also add the desired host to the whitelist. To do this:

1. Access the device by SSH and go to shell:

   shell sudo su -

2. Check for </VirtualHost> and modify the vi /etc/apache2/conf.d/listen.conf.

   <VirtualHost _default_:443>
           RewriteEngine On
           ###### Add this part
           ## Change the hostnames/ip, insert your 
           <IfModule rewrite_module>
             RewriteEngine On
             RewriteCond %{HTTP_HOST} !^(www\.your-hostname\.com|192\.0\.20\.0)$ [NC]
             RewriteRule ^ - [F]
           </IfModule>
           #######
           ...
   </VirtualHost>

   Note:

   If the configuration file does not include a </VirtualHost> block, you can place the <IfModule rewrite_module> directive directly outside of it.

   Note:

   Each time you change the Web Service configuration in the Nodegrid Security :: Services, the configuration file listen.conf gets restarted and therefore you need to perform the above step each time the Web Service configuration is changed.

3. Modify the /etc/apache2/extras/httpd-ssl.conf.

   ...
   ##
   ## SSL Virtual Host Context
   ##
   
   <VirtualHost _default_:443>
   
   ###### Add this part
   ## Change the hostnames/ip, insert your 
   <IfModule rewrite_module>
     RewriteEngine On
     RewriteCond %{HTTP_HOST} !^(www\.your-hostname\.com|192\.0\.20\.0)$ [NC]
     RewriteRule ^ - [F]
   </IfModule>
   #######
   
   ProxyPreserveHost On
   SSLProxyEngine On
   RewriteEngine On
   RewriteCond %{HTTP_REFERER} ".*/websession.*"
   ...

4. Modify the /etc/apache2/httpd.conf.

   LoadModule auth_ticket_module     modules/mod_auth_ticket.so
   
   ###### Add this part
   ## Change the hostnames/ip, insert your 
   <IfModule rewrite_module>
     RewriteEngine On
     RewriteCond %{HTTP_HOST} !^(www\.your-hostname\.com|192\.0\.20\.0)$ [NC]
     RewriteRule ^ - [F]
   </IfModule>
   #######
   
   <Directory />
   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} ^OPTIONS
   RewriteRule .* - [F]
   </Directory>

5. Restart the apache2 service.

   /etc/init.d/apache2 restart

The users will now be directed only to the IP address and/or DNS server defined in the three configuration files. If an attacker attempts an HTTP injection to modify the page, a Forbidden message will be displayed to the user.

Disabling DirectorySlash

If the DirectorySlash is used in the configuration code, it should be disabled to prevent page redirection. When a user appends a parameter after the slash, it triggers an issue where the request can be redirected to the attackers IP address or hostname. Changing the host or appending additional parameters to the request will lead to the page redirection. You can disable the DirectorySlash on apache2configuration. However, if nothing follows the slash, no redirection occurs, and the IP address directs to the intended page.

CAUTION

apache2 does not recommend disabling the DirectorySlash. The DirectorySlash directive controls whether Apache automatically adds a trailing slash to directory URLs. Disabling it can lead to other issues, such as broken links or improper handling of directory requests. Therefore, we recommend Manually adding a host into whitelist (previous procedure).

To disable the DirectorySlash:

1. Access the device by SSH and go to shell:

   shell sudo su -

2. Modify the apache2 file /etc/apache2/httpd.conf.

   LoadModule auth_ticket_module     modules/mod_auth_ticket.so
   <Directory />
   DirectorySlash Off                     ###### Disabling trailing slash redirect
   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} ^OPTIONS
   RewriteRule .* - [F]
   </Directory>

3. Restart the apache2 service.

   /etc/init.d/apache2 restart