[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100
Christian Mehlmauer
bettercrypto at firefart.at
Thu Apr 2 23:06:25 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The issue is: You trust user input and it maybe can be exploited in
other ways than Mitm like via Javascript on a site.
Using the Mitm principle you described, a reflected Cross Site
Scripting over HTTP is not an issue, because it can always be
intercepted and changed on the fly.
If you use the return 301 ..... line over an HTTPs connection for
example when doing redirections of old URLs, you also trust user input
and there is no Mitm taking place.
So using the $host variable should be avoided were possible in my opinio
n.
On 02/04/15 22:53, Hanno Böck wrote:
> On Thu, 02 Apr 2015 22:43:14 +0200 Christian Mehlmauer
> <bettercrypto at firefart.at> wrote:
>
>> Currently the redirect from HTTP to HTTPS is done via this line
>> (nginx):
>>
>> return 301 https://$host$request_uri;
>>
>> The problem: $host is a user controlled variable, the HOST
>> header.
>
> I'm not sure I'm getting the issue here. The redirect from http is
> unencrypted, thus you have to expect that this is not secure. The
> whole redirect is not only user-controlled, it's essentially
> attacker-controlled for MitM-attacker scenarios. This is the well
> known ssl stripping issue and the reason people should use HSTS.
>
> There's nothing to secure here, because it is insecure by design.
> If you're worried use HSTS. If you're worried even more let your
> domain be preloaded into the browsers (just did that with mine).
>
>
>
> _______________________________________________ Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVHa9RAAoJENz1SgXW5iWROWIQAJYbP7esiT/2vT1Dj4K9nBi+
ghFsGu1ALyZoXWjxlKCW0yppGntQW96/BChHrQVIeXOOvLHn8j2wdAPC0VeR6iEO
CqJWPa4B86N5A7rR/HOsCBFJlEtQYjsclQAdQ7tBNkZfkSs+cCO5RqppxnkhDJ+Y
A6xUf96ESmWF/8LxteZrGd8hR1dmESwLqkkX0XIud9/BwliOahJJ3oDVwWY/xZ7w
CrbdzM7VmaNB6/CbfZrJeCeGXUTzcAzTSzDlOwi3SQ7GUUSrUNOz0aUx9vp1EBcV
jigMPNFEWvMsAPE95Zw4cCHuXZveWOAOfwdvPx4SZoidbCcQm0vBALgaq5jrHJhV
sQR4OITJDwteoSdVxbXED29YcNSFvMEcblbb+qwQw91UuIRQ/oPfRo04PkqLPIo7
odHvv8djxB3VKmhkaomVtMrHE6lt04PEqeiRzszbLCEJs27NajgZxhE9vKSn5z2F
49YrHS2NL2y9ZOlbfqve1hEcVsxm3aGZEtSGWnwIElXReZlb4Q8SqehMEnxpJcmY
Utm25yfb0DHOe1lKJsY5jMcPNFaSX79QqNIV9mCQRkC/ovlTAp+o8LGmUFy6PlhT
M3gkzG2+U8pq5dR6fduMfFox1CjOhoV2RNPTdL1v7vlDYfJKaPBdY7ftwq536Y3w
u0iSkVLz6nWe9nsD3MA5
=8v3K
-----END PGP SIGNATURE-----
More information about the Ach
mailing list