- From: Chris Weber <chris@lookout.net>
- Date: Sun, 17 Jul 2011 00:23:38 -0700
- To: Mark Nottingham <mnot@mnot.net>
- CC: Amit Klein <aksecurity@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
On 7/16/2011 11:03 PM, Mark Nottingham wrote: > My understanding was that these holes had been closed, and that while there are undoubtedly still some clients out there that allow Host headers to be set, it's not an attractive attack to make now. What's the current state of things? > > > On 17/07/2011, at 3:48 PM, Amit Klein wrote: > >> In the past (and this may re-incarnate) it was possible for clients to >> provide arbitrary Host headers with HTTP requests, thus rendering the >> Host header verification defense somewhat useless. See e.g.: >> http://archive.cert.uni-stuttgart.de/bugtraq/2006/09/msg00090.html >> >> Most of these holes have been closed. Save for the exceptions where similar bugs will probably continue to surface, which is sounds like Amit was alluding to, as something recently did <http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails>. Having servers verify the Host header still seems valuable as defense in depth but not as the panacea of course. -Chris
Received on Sunday, 17 July 2011 07:24:15 UTC