Host header attacks possible with AG proxy

  • 7016282
  • 10-Mar-2015
  • 31-Mar-2015

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0

Situation

A potential HTTP Host header attack is described at http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html. a NAM admin wanted to know whether or not the Access Gateway (AG) was susceptible to this attack, such that potential redirects could be generated by the AG in response to the incoming request and sent to the wrong host.

For example, the Host HTTP Header parameter is manipulated to be another website www.google.com. This means that the incoming HTTP request into the AG has two Host HTTP headers. The AG seems to process the first and ignore the others, and the newly added Host Headers are added before the original one. Under certain conditions (i.e. when AG must generate 302 redirect) our users will be redirect to www.google.com instead of the original URL we were going to.

Resolution

Fixed in 4.1. We will reject requests that include two Host HTTP header in the same request. We also log the fact that two HTTP Host headers have been received for the same request.

Additional Information

Here's what we will see in scnearios where this happens:

> GET /test.html HTTP/1.1
> User-Agent: curl/7.38.0
> Accept: */*
> Host: www.neilmag.com
> Host: www.neilmag2.com  > < HTTP/1.1 400 Bad Request < Date: Thu, 19 Feb 2015 11:22:25 GMT * Server Apache is not blacklisted < Server: Apache < Vary: accept-language,accept-charset < Accept-Ranges: bytes < Connection: close < Content-Type: text/html; charset=iso-8859-1 < Content-Language: en < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//en"> <html lang="en"> apache error_log will print below messages 1) When accessing https service Feb 19 16:48:20 lmag1 httpd[8020]: [error] Hostname www.neilmag2.com provided via SNI and hostname www.neilmag.com provided via HTTP are different Feb 19 16:48:20 lmag1 httpd[8020]: [error] Hostname www.neilmag2.com provided via SNI and hostname www.neilmag.com provided via HTTP are different 2) When accessing non-https service Feb 19 17:02:59 lmag2 httpd[16421]: [warn] AMEVENTID#37: ***Host Header Attack Detected, request is rejected*****