Cloudflare redirects HTTP requests to injected Host header

Vulnerability scanner reported that our web app is vulnerable to Host Header injection. Cloudflare redirects to domain from the injected Host header when request is sent via HTTP (not HTTPS).

Example

$ curl -i -s -k -X $'GET' \
  -H $'Host: evil.com' \
  -H $'Host: our.domain'\
  -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' \
  $'http://our.domain/'
HTTP/1.1 301 Moved Permanently
Date: Thu, 11 Aug 2022 10:47:10 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 11 Aug 2022 11:47:10 GMT
Location: https://evil.com/
Server: cloudflare
CF-RAY: 739064456c732d43-KBP

WAF rules are not triggered on cURL requests. Both with “Always use HTTPS” enabled and disabled.

But Cloudflare itself responds with 403 status for such requests

curl -i -s -k -X $'GET' \
  -H $'Host: evil.com' \
  -H $'Host: cloudflare.com' \
  -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' \
  $'http://cloudflare.com/'
HTTP/1.1 403 Forbidden
Date: Thu, 11 Aug 2022 11:00:34 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 739077e47c222d5b-KBP

error code: 1034

There are related topics on the community forum

How to catch, validate, and block injected Host headers?

As per the two topics you linked:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.