logo

Database

Lack of data validation - Host Header Injection

Description

The application allows to manipulate the host header which may lead to unintended redirects to malicious websites.

Impact

Redirect the user to harfmful websites.

Recommendation

Validate the host header against a whitelist of trusty domains.

Threat

Anonymous attacker from adjacent network.

Expected Remediation Time

⏱️ 30 minutes.

Requirements

173 - Discard unsafe inputs320 - Avoid client-side control enforcement342 - Validate request parameters

Fixes

CsharpElixirGoJavaPhpPythonRubyScalaTypescript

Score

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

Attack vector

A

Attack complexity

H

Attack requirements

N

Privileges required

N

User interaction

A

Confidentiality (VC)

L

Integrity (VI)

L

Availability (VA)

N

Confidentiality (SC)

N

Integrity (SI)

N

Availability (SA)

N

Threat 4.0

Exploit maturity

A

Vector string

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A