Host of Troubles: Multiple Host Ambiguities in HTTP Implementations


The Host header is a security-critical component in an HTTP request, as it is used as the basis for enforcing security and caching policies. While the current specification is generally clear on how host-related protocol fields should be parsed and interpreted, we find that the implementations are prob- lematic. We tested a variety of widely deployed HTTP im- plementations and discover a wide range of non-compliant and inconsistent host processing behaviours. The particu- lar problem is that when facing a carefully crafted HTTP request with ambiguous host fields (e.g., with multiple Host headers), two different HTTP implementations often accept and understand it differently when operating on the same request in sequence. We show a number of techniques to induce inconsistent interpretations of host between HTTP implementations and how the inconsistency leads to severe attacks such as HTTP cache poisoning and security policy bypass. The prevalence of the problem highlights the poten- tial negative impact of gaps between the specifications and implementations of Internet protocols.

ACM conference on Computer and Communications Security