Activity Processors: Header Processor: Incident - Missing Host Header

Complexity: Low (2.0)

Default Response: 1x = Slow Connection 2-6 seconds for 1 day and Captcha.

Cause: All legitimate web browsers submit a Host header with each HTTP request. The host header contains the value entered into the address bar as the server. This could be either the server IP address or the domain name. In either case, it will always be provided. If a user submits a request that does not contain a Host header, this incident will be triggered. Note that this incident only triggers on HTTP 1.1 requests (not on HTTP 1.0 requests).

Behavior: Not providing a host header is generally an activity performed when trying to scope the attack surface of the website. Some webservers are configured to host different websites from the same IP address, based on which domain name is supplied. Hackers will often attempt to send a request without a host header to see if the server will serve back a default website. If the default website is not the main website, this can provide additional pages the attacker can attempt to exploit. This could be considered a "Server Misconfiguration" weakness, but can also be a legitimate design choice for the webserver and its applications. It does not necessarily expose a vulnerability as long as the default web application is secure. Because all major browsers submit host headers on every request, the user would need to take advantage of a more complex tool, such as a raw data client, or HTTP debugging proxy to manually construct a request that does not have a host header. As such, this activity is almost always malicious. In a few cases, some legitimate monitoring tools can omit this header, but those tools should be added to the trusted IP list in configuration.