Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • You can change the header
  • The Test Environment
  • Arbitrary Naming
  • Spaces
  • Dots
  • New Lines
  • Combining it all together
  • Conclusion

Was this helpful?

  1. Red Team
  2. Command and Control

Host Header Manipulation

PreviousDomain Fronting: Who Am I?NextFinding Target-relevant Domain Fronts

Last updated 6 years ago

Was this helpful?

TLDR; Host header obfuscation

When attacking a target, you never know what sort of rules the blue team has in place to detect you. With a rise in Domain Fronting, which meant that more people were manipuating host headers, I decided to look a bit more into what you can do with a host header!

You can change the header

Everyone knows you can modify the host header. As long as the CDN can parse the host header, we can use the CDN to route our traffic to a chosen endpoint. What we haven't really spoke about in the public domain is the format in which we can place the host header, and still make it route to the endpoint. In this blog post I'm going to highlight some basic ideas for you to add to your Domain Fronting skill-set and allow you to potentially cause some extra havoc to the Blue Team who's analysing your traffic.

The Test Environment

Here I'm using Google App Engine and CloudFront. There's many more CDNs out there such as , so there's much more research to be done. I'm not going to go into exact specifics and what techniques work on which environment, that's for the user to find out.

Arbitrary Naming

I've already covered this before in previous posts, but you can essentially use arbitrary CNAMEs to refer to your instance. As seen and Try converting:

Host: abcdefghijk.cloudfront.net

to:

Host: nice.try.but.no

Spaces

We all love white space, don't we? Try converting:

Host: nice.try.but.no

to:

Host:               nice.try.but.no

or even removing the space Host:nice.try.but.no:

Heck, even stuff like %1c and %1f that decodes to some control character, works!

Why not stick an up arrow in?

Combine it together and you got a bit of:

Dots

Some Content Delivery Networks will let you use Host: nice.try.but.no................and it will still work!

New Lines

Good old header injection works in some Content Delivery Networks! Check out the following request and response! Just stick a %0d at the end of the header. Request:

Response:

Combining it all together

Conclusion

You can inject a ton of characters, including new lines at the front and end of the Host header to add additional complexity for the Blue Team to be able to detect domain fronting even when doing TLS interception if there's no host header re-write.

Alibaba
here
here