[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100
bettercrypto at firefart.at
Thu Apr 2 23:06:25 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
The issue is: You trust user input and it maybe can be exploited in
Using the Mitm principle you described, a reflected Cross Site
Scripting over HTTP is not an issue, because it can always be
intercepted and changed on the fly.
If you use the return 301 ..... line over an HTTPs connection for
example when doing redirections of old URLs, you also trust user input
and there is no Mitm taking place.
So using the $host variable should be avoided were possible in my opinio
On 02/04/15 22:53, Hanno Böck wrote:
> On Thu, 02 Apr 2015 22:43:14 +0200 Christian Mehlmauer
> <bettercrypto at firefart.at> wrote:
>> Currently the redirect from HTTP to HTTPS is done via this line
>> return 301 https://$host$request_uri;
>> The problem: $host is a user controlled variable, the HOST
> I'm not sure I'm getting the issue here. The redirect from http is
> unencrypted, thus you have to expect that this is not secure. The
> whole redirect is not only user-controlled, it's essentially
> attacker-controlled for MitM-attacker scenarios. This is the well
> known ssl stripping issue and the reason people should use HSTS.
> There's nothing to secure here, because it is insecure by design.
> If you're worried use HSTS. If you're worried even more let your
> domain be preloaded into the browsers (just did that with mine).
> _______________________________________________ Ach mailing list
> Ach at lists.cert.at
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Ach