Host Header Poisoning

Hi there,

Do you guys know why Cloudflare is redirecting (301) to different domain when we set it on “Host” header? Sounds like a security issue.

Please advice,
Cheers,

If the domain (including subdomains) has “always use HTTPS” turned on, CF will redirect any http:// to https://

2 Likes

Thanks @Judge for your quick answer. Even with the option “always use HTTPS” turned off, CF still redirecting to https + the external host domain.

Redirecting from http to https is fine, but is there any reason why CF redirects to the external domain?

Thanks in advance,

The Host header determines for which hostname/website the request is meant for. CloudFlare doesn’t have a unique ip per website, instead it uses the same ip for multiple websites.
So that’s why it uses the Host header to determine for which website it should handle it, and because you set the Host header to a other website, it handled the request like it was for that website, thus returning a redirect to that website

Thanks @arunesh90 for your feedback.

This has been reported by our web application vulnerability scanner. Does it mean that our application is vulnerable to host header injection? because the host header can be changed to something outside the target domain.

Attack vectors are somewhat limited but depends on how the host header is used by the back-end application code. If code references the hostname used in the URL such as password reset pages, an attacker could spoof the host header of the request in order to trick the application to forwarding the password reset email to the attackers domain instead, etc. Other attack vectors may also be possible through manipulation of hyperlinks or other misc. code that relies on the host/domain of the request.
There are many blogs, articles and white papers describing this vulnerability and associated attack vectors.

Why CF doesn’t reject requests that do not originate from the same origin?

Thanks in advance,

Being able to change the Host header is only a problem when it’s possible on your own reverse proxy and also accepts hostnames that are not normally allowed.
But in this case, Cloudflare is the reverse proxy, and Cloudflare has millions of websites that make use of it’s service and reverse proxy, so it’s not a vulnerability in this case that you can just change the Host header to a different Cloudflare domain and that it’ll actually accept and handle it.

1 Like

Thanks @arunesh90 for your feedback.