# Host Header Manipulation

TLDR; Host header obfuscation

When attacking a target, you never know what sort of rules the blue team has in place to detect you. With a rise in Domain Fronting, which meant that more people were manipuating host headers, I decided to look a bit more into what you can do with a host header!

## You can change the header <a href="#youcanchangetheheader" id="youcanchangetheheader"></a>

Everyone knows you can modify the host header. As long as the CDN can parse the host header, we can use the CDN to route our traffic to a chosen endpoint. What we haven't really spoke about in the public domain is the format in which we can place the host header, and still make it route to the endpoint. In this blog post I'm going to highlight some basic ideas for you to add to your Domain Fronting skill-set and allow you to potentially cause some extra havoc to the Blue Team who's analysing your traffic.

## The Test Environment <a href="#thetestenvironment" id="thetestenvironment"></a>

Here I'm using Google App Engine and CloudFront. There's many more CDNs out there such as [Alibaba](https://vincentyiu.co.uk/alibaba-cdn-domain-fronting/), so there's much more research to be done. I'm not going to go into exact specifics and what techniques work on which environment, that's for the user to find out.

## Arbitrary Naming <a href="#arbitrarynaming" id="arbitrarynaming"></a>

I've already covered this before in previous posts, but you can essentially use arbitrary CNAMEs to refer to your instance. As seen [here](https://vincentyiu.co.uk/alibaba-cdn-domain-fronting/) and [here](https://vincentyiu.co.uk/domain-fronting-who-am-i/) Try converting:

```
Host: abcdefghijk.cloudfront.net
```

to:

```
Host: nice.try.but.no
```

![](/files/-LP7OfKzcYHwJgsFg5xr)

## Spaces <a href="#spaces" id="spaces"></a>

We all love white space, don't we? Try converting:

```
Host: nice.try.but.no
```

to:

```
Host:               nice.try.but.no
```

![](/files/-LP7OiZm6dkvvcvXaBi2)

or even removing the space `Host:nice.try.but.no`:

![](/files/-LP7OlX7o9pNmYyDIjnd)

Heck, even stuff like `%1c` and `%1f` that decodes to some control character, works!

![](/files/-LP7OoaRMILx5e8KQY54)

Why not stick an up arrow in?

![](/files/-LP7OrK7BFXaHSeVvLom)

Combine it together and you got a bit of:

![](/files/-LP7OtHTzStFnL-JN_Tq)

## Dots <a href="#dots" id="dots"></a>

Some Content Delivery Networks will let you use `Host: nice.try.but.no................`and it will still work!<br>

![](/files/-LP7OwpCSJnqdO-Ov-rB)

## New Lines <a href="#newlines" id="newlines"></a>

Good old header injection works in some Content Delivery Networks! Check out the following request and response! Just stick a %0d at the end of the header.\
Request:

![](/files/-LP7P5M5NjLpOUIlbwj8)

Response:

![](/files/-LP7P95TwLhqGnAiu8nZ)

## Combining it all together <a href="#combiningitalltogether" id="combiningitalltogether"></a>

![](/files/-LP7PFT5eqxC5xhSUFb2)

## Conclusion <a href="#conclusion" id="conclusion"></a>

You can inject a ton of characters, including new lines at the front and end of the Host header to add additional complexity for the Blue Team to be able to detect domain fronting even when doing TLS interception if there's no host header re-write.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.vincentyiu.com/red-team/domain-fronting/host-header-manipulation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.