Re: [XHR] XMLHttpRequest specification lacks security considerations

Maciej Stachowiak wrote on 2/9/2010 4:13 AM: 
> HTTPbis should address this threat in the security considerations
> section, and should strongly consider making it a MUST-level
> requirement for servers to check that the Host header is a host they
> serve. If HTTP had that requirement and all servers followed it, then
> the risk of DNS rebinding attacks would be eliminated.

Another threat is an attacker crafting a malicious payload in the Host header, hoping that it gets logged then viewed via a web browser.

And some webapps conditionally show debugging information based on the host header, so that the production hostname has a generic error page and the staging hostname produces a full stack trace.  Simply forging the host header allows an attacker to view the full debugging information.

There are probably other threats too, such as a site using the Host header to craft links, etc.


- Bil

Received on Wednesday, 10 February 2010 09:38:15 UTC