Re: [squid-users] Squid and HTTP Host value

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Fri, 04 Jul 2008 22:17:45 +0200

On fre, 2008-07-04 at 20:05 +0100, Julian Gilbert wrote:
> Thanks for your responses.
>
> What security problem does rewriting the host value prevent? I'm not sure
> what domain hijacking is. At work I currently use ISA Server 2004 and when
> it recieves:
>
> GET http://66.102.9.147/
> HOST www.google.co.uk
>
> it connects to 66.102.9.147 and sends:
>
> GET /
> HOST www.google.co.uk

It's a cache pollution attack. As far as the proxy is concerned the
requested URL was http://66.102.9.147/ not www.google.co.uk.

This attack allows anyone who can host a web site on the same IP (not
uncommon in hosting environments) to set up an attack where the cache of
other web sites on that IP gets poisoned with content of their choice
simply by requesting

GET http://www.example.com/
Host: the.attackers.site

The proxy things http://www.example.com was requested, but the web
server delivers http://the.attackers.site/

It there is an intercepting proxy things gets even worse as then the
attacker can poison any web site as they like, not even restricted by
the same IP limitation.

> Is this a security risk? The RFCs state that a web server MUST use
> http://66.102.9.147/ and ignore www.google.co.uk but as far as I can see a
> proxy is not required to ignore www.google.co.uk.

Proxies must fulfill both server and client requirements as it acts as a
server to the client and as a client to the requested server. See 1.3
Terminology / Proxy.

Regards
Henrik

Received on Fri Jul 04 2008 - 20:17:50 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 05 2008 - 12:00:02 MDT