Reputation: 1104
Faking an HTTP request header
I have a general networking question but it's related with security aspect. Here is my case: I have a host which is infected by a malware. The malware creates an http packet to communicate with it's command and control server. While constructing the packet, the IP layer contains the correct IP address of the command and control server. The tcp layer contains the correct port number 80. Before sending the packet out, the malware modifies the http header to replace the host header with “google.com" instead of it's server address. It then attaches the stolen data with the packet and sends it out. My understanding is that the packet will get delivered to the correct server because the routing will happen based on the IP. But can I host a webserver on this IP that would receive all packets with header host google.com and parse it correctly? Based on my reading on the internet, it is possible but if it is that easy then why have malware authors not adopted this technique to spoof the http headers and bypass traditional domain whitelisting engines.
Upvotes: 0
Views: 2836
Answers (2)
Reputation: 2912
The fake host header is just there to trick some deep-inspection firewalls ("it's for Google? you may pass..."). The server on that IP either doesn't care about the host header (default vhost) or is explicitly configured to accept it.
Passing the loot on by using fake headers or just as plain data behind the headers is another trick to fool data loss prevention.
These methods can mislead shallow application-layer inspection but won't pass a decent firewall.
Upvotes: 0
Reputation: 134
When you make a request to let's say Apache2 server, what actually Apache does is match your "Host" header with any VirtualHost within server's configuration. Only if it cannot be found / is invalid, Apache will route the request to default virtualhost if it's defined. Basically nothing stops you from changing these headers.
You can simply test it by editing your hosts file and pointing google.com to any other IP - you will be able to handle the google.com domain on your server, but only you will be to use it this way - no one else.
Anything you send inside HTTP headers shouldn't be trusted - it just a guide for your server on how to actually handle the traffic.
Upvotes: 1
Related Questions
- Change Response from HTTP Request sent by a program
- accept header in HTTP request
- Send HTTP Request and "pretending" to be chrome
- Request Web Page in c# spoofing the Host
- Fake HTTP Get Requests
- Intercept web server request, modify, forward
- Mimic client request
- Faking browser request in ASP.net C#
- How could we fool the HTTP protocol?
- How do I fake an specific browser client when using Java's Net library?