Host Header injection/tampering

Hi there!

Does the MGW block requests with two host headers? I’m wondering about attack vectors like these: How to identify and exploit HTTP Host header vulnerabilities | Web Security Academy

Thanks!

Hi @mhe

Thank you for asking this question. The answer is not that simple and depends a bit on the setup.

  • Data plane mode “Sidecar”
    There are currently no checks. If multiple Host headers are received, they are forwarded in a comma separated format to the upstream service. Maybe a workaround with a LUA script is possible.

  • Data plane mode “Sidecarless” (Gateway API)
    Requests with multiple Host header are blocked if an hostname is configured in the ‘hostnames’ field of the ‘HTTPRoute’.

As you might know, Airlock Microgateway is based on Envoy. The mentioned behavior in “data plane mode ‘Sidecar’” is Envoy’s default behavior. The mentioned feature for “data plane mode ‘Sidecarless’” provides protection against such requests. Anyway, we look into a possible solutions to provide protection also for our clients using “data plane mode ‘Sidecar’”.

To sum up:
Airlock Microgateway provides currently a solution for “data plane mode ‘Sidecarless’”, if correctly configured. We are looking into possible solutions to improve the protection in a newer release.

Cheers
Stefan

1 Like