Practical HTTP Host header attacks (original) (raw)

2020 update: I've designed an up to date and in-depth exploration of this topic with interactive labs, which you can find at HTTP Host header attacks. The original post is preserved below:

Introduction

How does a deployable web-application know where it is? Creating a trustworthy absolute URI is trickier than it sounds. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to:
<link href="http://_SERVER['HOST']" (Joomla)

...and append secret keys and tokens to links containing it:
(Django, Gallery, others)

....and even directly import scripts from it: