Just asking this question in the forum to see if anyone has an opinion on it. A client’s site running on Hestia recently had a pentest and one of the items was a fail on the Host Header Injection. I understand that not every item on a pentest is necessarily a red flag, but I decided to look into it. So here’s how to test it
curl -I https://realdomain.onhesita.com/ -H "Host: evil.com"
HTTP/2 301
server: nginx
date: Fri, 16 Sep 2022 02:54:24 GMT
content-type: text/html
content-length: 162
location: http://evil.com/
So the fact that the location is returned as the evil.com domain means we’ve tricked the webserver into thinking its serving a page that doesn’t even exist on the server. While its hard to exploit, it can have pretty dire consequences, such as being leveraged in password reset attacks.
I started looking for the code where this was taking place. It wasn’t in the individual website templates, but I found the following line in /etc/nginx/nginx.conf which seems to be responsible.
proxy_set_header Host $host;
Disabling that isn’t an option as then nginx doesn’t know where to send the response for any website. So following the logic, this only becomes a problem when the host is unknown, i.e. when nginx is using the “server_name _;” condition.
This is found in the config file corresponding to the IP address of the server i.e. /etc/nginx/conf.d/23.34.45.56.conf
Disabling that config makes the problem go away .
So, first question: are there any harmful effects of disabling that config? I guess its used in the setup phase, when only the IP address is available, but beyond that, is it actually used? Maybe for nginx-status queries?
Secondly, is there a better way of doing this? All I can think of is using the IP address as hostname in the default config. I’m not one to obsess over every pentest result, but it seems if this can be fixed with low effort then its worth doing.