Prevent Host header attack

0 投票
最新提问 用户: (120 分)

I scanned my website whit Acunetix Web Vulnerability Scanner and I got Host Header attack vulnerability.

In description says that I writed


but i didn't and i don't know how to fix this.

Here is my header of affected file

    include 'core/init.php';



        $post = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
        if(time() - $user->failTime($post['email']) < 600 && $user->failCount($post['email']) >= 3){
            $err = '<p style="color:red;">Raun vam je zakljuan na 10 minuta.</p>';
            if(empty($post['email']) || empty($post['password'])){
                $err = '';
            }elseif($id = $user->prijava($post['email'], $post['password'])){
                    $_SESSION['user'] = $id['id'];
                    $err = '<p style="color:red;">Korisniki raun nije aktiviran.</p>';    
                        $err = '<p style="color:red;">Lozinka i email se ne poklapaju.</p>';
                    $err = '<p style="color:red;">Lozinka i email se ne poklapaju.</p>';

And html

    <meta charset="UTF-8">
    <link rel="shortcut icon" href="images/favicon.png" type="image/png">
    <link rel="stylesheet" type="text/css" href="css/sign.css?<?php echo time(); ?>">       
    <script src=""></script>

Here is image of Vulnerability description:

enter image description here

To sum up, how can I protect my website, thank you.

发表于 用户: (100 分)
That's just an example of how this header could be being used. I'd check php.ini for header-related settings. Also, are you using some framework?
发表于 用户: (120 分)
@Alfabravo don't use any framework, i don't have access to php.ini, should I ask my hosting provider for it?


0 投票
最新回答 用户: (700 分)

There's 2 ways to prevent Host header attacks:

  1. Use $_SERVER['SERVER_NAME'] and enforce it at the httpd (Apache, nginx, etc.) configuration level

    What this means is that you should have an explicitly configured virtual host for each domain you serve. Or in other words - don't allow "catch-all" configurations.

  2. Check if it matches a whitelist of domains that you serve:

    // Just in case there's more than one ...
    $domains = ['', ''];
    if ( ! in_array($_SERVER['SERVER_NAME'], $domains)) {
        // error

Despite what its name implies, unless you followed the first solution, $_SERVER['SERVER_NAME'] will also be populated by the Host header value when PHP runs through a "catch all" configuration.
Thus, they are both equal unless your HTTP server is properly configured, hence why both solutions above refer to $_SERVER['SERVER_NAME'] - it effectively doesn't matter if you use that or $_SERVER['HTTP_HOST'].

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。