7.7 Blocking HTTP host header injection
HTTP host header injection is a mechanism where an attacker can try to trick a web server or web service that they are operating on a different web domain than they are; this is an attempt to subvert the behavior of the web server.
You can configure IIS to filter incoming requests through the host header to reject requests that do not have the expected header value.
7.7.1 Implementation using URL Rewrite
You can use the URL Rewrite module to block HTTP host header injection. If it is not already installed on your system, you can install URL Rewrite from Microsoft's iis.net website:
www.iis.net/downloads/microsoft/url-rewrite
To block HTTP host header injection using URL Rewrite:
-
On each MyID web server, open the Internet Information Service (IIS) Manager.
-
Select the web site under which the MyID websites and services are installed.
By default, this is the Default Web Site.
-
Double-click URL Rewrite.
-
Click Add Rule(s).
-
In the Inbound rules section, select Request blocking.
-
Click OK.
The Add Request Blocking Rule dialog appears.
-
Set the options for the blocking rule.
The options you set depend on your system configuration. See:
-
Click OK.
7.7.1.1 Allowing a single host header
If you are filtering to allow only a single (or single wildcarded) host header, set the following in the Add Request Blocking Rule dialog:
-
Block access based on – select Host Header.
-
Block request that – select Does not match the pattern.
-
Using – select Wildcards.
-
Pattern (Host Header) – Type the expected web domain that incoming HTTP requests will use; for example, if HTTP requests are expected on:
https://myid.mycompany.com
type:
myid.mycompany.com
If required, you can use * as a wildcard; for example:
*.mycompany.com
to allow any subdomain of mycompany.com.
Note: Matching is case insensitive by default.
-
How to block – Leave this at the default: Send an HTTP 403 (Forbidden) Response.
7.7.1.2 Using a regular expression for multiple domains
You may have more complicated matching rules. In this case, you can use regular expressions.
For example, If you have a load balancer, you may have most requests coming in using the load balancer web domain, but still want to allow connections directly to the web servers as well; in this case you would have two allowable host header values.
The following example shows the basic regular expression for matching a single value:
-
Block access based on – select Host Header.
-
Block request that – select Does not match the pattern.
-
Using – select Regular Expressions.
-
Pattern (Host Header) – Type the regular expression that the host header must match to be accepted.
Note: The regular expression matching is case insensitive by default.
Example regular expression for matching a single domain:
^myid\.mycompany\.com$
Note: ^ and $ mean that no prefix or suffix is allowed, any period (.) character must be escaped with a backslash (\).
-
How to block – Leave this at the default: Send an HTTP 403 (Forbidden) Response.
The following example provides a list of allowable domains (in this example, websrv1.mycompany.com or loadbalancer.mycompany.com):
^websrv1\.mycompany\.com$|^loadbalancer\.mycompany\.com$
Note: The pipe (|) character is used as a separator for each allowable value.
You can specify any valid regular expression to implement more flexible rules as required.
7.7.2 Implementation for ASP.NET Core applications
For ASP.NET Core applications you can, as an alternative, configure the AllowedHosts entry in the appsettings.production.json file to perform the host filtering for each ASP.NET Core application.
See:
However, if you are using URL Rewrite to configure this protection at the IIS level, there is no benefit in also configuring it for each ASP.NET Core application.
7.7.3 Recommendations
Use URL Rewrite to force IIS to block requests that do not have the expected HTTP host headers.