Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Activity Processors: Header Processor: Incident - Missing Host Header

    Complexity: Low (2.0)

    Default Response: 1x = Slow Connection 2-6 seconds and Captcha.

    Cause: All legitimate web browsers submit a Host header with each HTTP request. The host header contains the value entered into the address bar as the server. This could be either the server IP address or the domain name. In either case, it will always be provided. If a user submits a request that does not contain a Host header, this incident will be triggered.

    Behavior: Not providing a host header is generally an activity performed when trying to scope the attack surface of the web site. Some web servers are configured to host different web sites from the same IP address, based on which domain name is supplied. Hackers will often attempt to send a request without a host header to see if the server will serve back a default web site. If the default web site is not the main web site, this may provide additional pages the attacker can attempt to exploit. This could be considered a "Server Misconfiguration" weakness, but may also be a legitimate design choice for the web server and its applications. It does not necessarily expose a vulnerability as long as the default web application is secure. Because all major browsers submit host headers on every request, the user would need to take advantage of a more complex tool, such as a raw data client, or HTTP debugging proxy to manually construct a request that does not have a host header. As such, this activity is almost always malicious. In a few cases, some legitimate monitoring tools may omit this header, but those tools should be added to the trusted IP list in configuration.

    Published: 2013-11-20