如何利用HTTP“主机"标头XSS漏洞? [英] How to exploit HTTP "Host" header XSS vulnerability?
问题描述
让我们说一个页面只是在不转义的情况下打印HTTP'Host'标头的值.因此,该页面容易受到XSS攻击,即攻击者可以使用包含"alert('xss');"之类的主机"标头来制作GET请求.
Let's say that a page is just printing the value of the HTTP 'Host' header with no escaping. So the page is vulnerable to an XSS attack, i.e. an attacker can craft a GET request with a 'Host' header containing something like alert('xss');.
但是您如何实际使用它来攻击目标呢?攻击者如何才能使目标发出具有特定标头的特定请求?
But how can you actually use this to attack a target? How can the attacker make the target issue that specific request with that specific header?
推荐答案
http主机标头基本上用作字符串,以确定应使用服务器配置中的(可能有许多)基于命名的主机来提供服务请求.
The http Host header is basically use as a string to figure out which of (potentially many) named-based hosts in the server configuration should be used to serve up the request.
假设您伪造了一个HTTP请求,并通过以下方式发送了此标头:
Let's say you forged up an HTTP request and got this header sent over:
Host: <script>alert('foo');</script>.example.com
这种唯一的方法可以通过这种方式进入您要攻击的PHP脚本:如果网站管理员将服务器和站点定义配置为允许该显式主机名,或者已使用通配符命名,例如
The ONLY way this could get through to the PHP script you want to attack is if the webmaster configured the server and site definition to allow that explicit hostname, or has wildcard naming in place, e.g.
<VirtualHost ...
ServerName www.example.com
ServerAlias *.example.com
</VirtualHost>
由于通配符允许.example.com之前的任何内容,因此您的JS主机名将获得通过.
Since the wildcard allows ANYTHING before .example.com, your JS-hostname would get through.
但是配置如下的虚拟主机:
But a vhost configured like this:
<Virtualhost ...>
Servername www.example.com
ServerAlias web.example.com
</Virtualhost
不会受到攻击,因为您提供的主机名与任何已配置的主机名都不匹配.该请求可能由其他一些通用虚拟主机处理,但由于该站点上不存在易受攻击的脚本,因此对您没有用.
would not be vulnerable, because the Host name you've provided is not matched by ANY of the configured hostnames. The request may be handled by some other catch-all vhost, but since your vulnerable script doesn't exist on that site, that's useless to you.
这篇关于如何利用HTTP“主机"标头XSS漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
