Redirection via Arbitrary Host Header Manipulation
Posted: Fri Oct 13, 2023 6:37 am
hi,
we have pci scan for a server running openvpn.
PCI SCAN was failed on this server.
THREAT:
The Host header is an HTTP request header that specifies the domain name of the server the client is trying to communicate with. It allows a single
web server to host multiple websites by distinguishing between them based on the domain name provided in the Host header.
SOLUTION:
Implementing proper validation and sanitization of input headers is essential to mitigate the risks of Host header injection.
Whitelist domains, only allow permitted domains to be included in Host header.
we have pci scan for a server running openvpn.
PCI SCAN was failed on this server.
THREAT:
The Host header is an HTTP request header that specifies the domain name of the server the client is trying to communicate with. It allows a single
web server to host multiple websites by distinguishing between them based on the domain name provided in the Host header.
SOLUTION:
Implementing proper validation and sanitization of input headers is essential to mitigate the risks of Host header injection.
Whitelist domains, only allow permitted domains to be included in Host header.