[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100

Christian Mehlmauer bettercrypto at firefart.at
Thu Apr 2 22:43:14 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

As requested on GitHub
https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/100 I'm
writing to this mailing list to discuss the changes.

Currently the redirect from HTTP to HTTPS is done via this line (nginx):

return 301 https://$host$request_uri;

The problem: $host is a user controlled variable, the HOST header.

http://nginx.org/en/docs/http/ngx_http_core_module.html

"in this order of precedence: host name from the request line, or host
name from the “Host” request header field, or the server name matching
a request"

So this is only an issue when hitting the default server because in a
named vhost based environment the host header is evaluated first to
select the correct server.

I think this one is hardly to exploit but it should be changed because
it's bad behaviour to use untrusted user input.

You can send a request to the server like:
GET / HTTP/1.1
Host: www.google.at

or

GET http://www.google.at HTTP/1.0

and get redirected to google, so this is kind of an "open redirect"
which would be very hard to exploit (still thinking of a useful
exploit using this).

According to google there are also a few browser bugs out there that
make it possible to change the Host header of a request done via
Javascript.

Anyway as this document is a best practice guide, I think this line
should be changed (and maybe the other webserver configs too).

Christian Mehlmauer
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVHaniAAoJENz1SgXW5iWRPBIQAJB8miCiJeg5g1U2CGCMT8ZS
PQ1QudmUiGwMsE32jXIOf18m3tIw9IfYG8bsk7eAhMR1YwZf7uOd6bl77RR2CX2Z
ZtGf0MKnL5m8OsRWiDkfAhYCX/unIQjFR04jEmVAr57ZvH1HGizLQs392bEbQe1+
A5NOltlPtjS5GJiE/Byz6Vt/HHE8dc9QAPFh3J/tYr/ZLMIuP+bpxuqIaWIGeX02
Sc4ivbeIIEMjDVn+kiQxEcuj3jOvnovRyZxdwTGDeDLsh8VeDJ2V8SkY2+472Yfx
GtLv1gLGS8uTsnOzx7Px0TevB7KR8NnSI5ow0PwoTiv91CRkoYys45CNA9AGpGHv
tI5IHuG2QLd0QZffFQVdyjFIJUdu1exYW67DFYa9UynDtBFyaMV9qdQmjiRFYPWQ
23fra05cmCbyyEw8lU4hCfWuOkT1TKO1US3Askz/9cHNu0VWUAAiAUX8R3fMQz/7
r6gOV1heWVp3R1RaR1txmggOhJXrAcqSdWlo1N6Y5Dj+Ih5YbPg4i0LklvUMEZ8c
iHnbJ6eUOs2WflIBFV6NGA42ChtFjK2g318ivc/pC/wddHmSNX4sbzqJ/Gh7SYnS
FwrlbVv3hHUp0+cSVpvlnbZNvLmVz3o/k3zIMiZUq3VFLbg05SCr4SB9Q4oKcuYJ
CjK9npKmoXpyJS5SGHC8
=JnGl
-----END PGP SIGNATURE-----

More information about the Ach mailing list