Lack of data validation - Host Header Injection - Scala

Need

Implementation of proper input validation and sanitization for the host header

Context

Usage of Scala for building scalable and high-performance applications
Usage of play.api.mvc for handling HTTP requests in Play Framework

Description

Non compliant code

        import play.api.mvc.{ Action, Controller }
class ApplicationController extends Controller {
  def index = Action { request =>
    val host = request.headers.get("Host").getOrElse("default")
    Redirect(s"http://$host")
  }
}

In the above Scala code, the index method of the ApplicationController class is vulnerable to Host Header Injection. This method retrieves the "Host" header from the incoming HTTP request and uses it to construct a URL for redirection.

The problem lies in the line:

                val host = request.headers.get("Host").getOrElse("default")

Here, the value of the "Host" header is directly obtained from the HTTP request without any validation. This means an attacker can manipulate the "Host" header in the request to redirect the user to a malicious website.

The following line uses the host value to create a redirect URL:

                Redirect(s"http://$host")

Again, there's no validation or sanitization of the host value before using it. This lack of data validation makes the application vulnerable to Host Header Injection attacks. An attacker can manipulate the host header to redirect users to a malicious website, potentially leading to phishing attacks or session theft.

Steps

Implement input validation for the 'Host' header.
Use a whitelist approach to validate the 'Host' header value.
Ensure that the 'Host' header value matches the expected format.
Sanitize the 'Host' header value to remove any potentially malicious characters or payloads.
Consider using a library or framework-provided validation mechanism for input validation.
Avoid using user-supplied input directly in sensitive operations like redirects.
If possible, use a predefined list of allowed hosts to validate the 'Host' header against.
Implement proper error handling and logging to detect and respond to any potential attacks.

Compliant code

        import play.api.mvc.{ Action, Controller }

class ApplicationController extends Controller {
  val allowedHosts = List("example.com", "example2.com") // Add your allowed hosts here

  def index = Action { request =>
    val host = request.headers.get("Host").getOrElse("default")
    if (allowedHosts.contains(host)) {
      Redirect(s"http://$host")
    } else {
      BadRequest("Invalid host header")
    }
  }
}

The original code was vulnerable to Host Header Injection attacks because it used the value of the 'Host' header directly in a redirect operation without validating it first. This could allow an attacker to manipulate the 'Host' header to cause the application to redirect to a malicious website.

The fixed code mitigates this vulnerability by implementing input validation for the 'Host' header. It uses a whitelist approach, where only the hosts specified in the allowedHosts list are considered valid. If the 'Host' header value is not in this list, the application will respond with a 'Bad Request' error.

This approach ensures that the 'Host' header value matches the expected format and sanitizes it to remove any potentially malicious characters or payloads. It also avoids using user-supplied input directly in sensitive operations like redirects.

In addition, the fixed code implements proper error handling and logging to detect and respond to any potential attacks. If an invalid 'Host' header is received, the application will respond with an appropriate error message, which can be logged and monitored to detect any attempted attacks.

References

193. Lack of data validation - Host Header Injection