- From: Bil Corry <bil@corry.biz>
- Date: Wed, 10 Feb 2010 01:37:43 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Thomas Roessler <tlr@w3.org>, W3C WebApps WG <public-webapps@w3.org>, public-web-security@w3.org
Maciej Stachowiak wrote on 2/9/2010 4:13 AM: > HTTPbis should address this threat in the security considerations > section, and should strongly consider making it a MUST-level > requirement for servers to check that the Host header is a host they > serve. If HTTP had that requirement and all servers followed it, then > the risk of DNS rebinding attacks would be eliminated. Another threat is an attacker crafting a malicious payload in the Host header, hoping that it gets logged then viewed via a web browser. And some webapps conditionally show debugging information based on the host header, so that the production hostname has a generic error page and the staging hostname produces a full stack trace. Simply forging the host header allows an attacker to view the full debugging information. There are probably other threats too, such as a site using the Host header to craft links, etc. - Bil
Received on Wednesday, 10 February 2010 09:38:15 UTC