Here is an example of vulnerable code that is susceptible to a Host Header Injection Attack :
🥺 Vulnerable Code
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class PasswordResetServlet {
public void resetPassword(HttpServletRequest request, HttpServletResponse response) throws IOException {
String email = request.getParameter("email");
String resetLink = "https://" + request.getHeader("Host") + "/reset-password?email=" + email;
// Send password reset link to the user's email
// ...
response.sendRedirect(resetLink);
}
}In the vulnerable code snippet above:
- The
resetPasswordmethod takes an HTTP request and response as parameters and extracts theemailparameter from the request. - It constructs a password reset link by directly using the
Hostheader from the HTTP request. This allows an attacker to manipulate theHostheader and potentially redirect the password reset link to a malicious site.
😎 Secure Code
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class PasswordResetServlet {
private static final String APP_DOMAIN = "example.com";
public void resetPassword(HttpServletRequest request, HttpServletResponse response) throws IOException {
String email = request.getParameter("email");
String resetLink = "https://" + APP_DOMAIN + "/reset-password?email=" + email;
// Send password reset link to the user's email
// ...
response.sendRedirect(resetLink);
}
}In the secure code snippet above:
- We’ve introduced a constant
APP_DOMAIN, which represents the legitimate domain of the application. This domain is not derived from theHostheader. - Instead of using
request.getHeader("Host"), we use the constantAPP_DOMAINto construct the password reset link. This ensures that the link is always generated using the expected and trusted domain, mitigating the host header injection vulnerability.
In the secure code there is no validation over the email parameter