generic.nginx.security.request-host-used.request-host-used

profile photo of semgrepsemgrep
Author
4,661
Download Count*
LGPL Commons Clause
License

'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: request-host-used
    pattern-either:
      - pattern: $http_host
      - pattern: $host
    paths:
      include:
        - "*conf*"
        - "*nginx*"
        - "*vhost*"
        - sites-available/*
        - sites-enabled/*
    languages:
      - generic
    severity: WARNING
    message: "'$http_host' and '$host' variables may contain a malicious value from
      attacker controlled 'Host' request header. Use an explicitly configured
      host value or a allow list for validation."
    metadata:
      cwe:
        - "CWE-290: Authentication Bypass by Spoofing"
      references:
        - https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md
        - https://portswigger.net/web-security/host-header
      category: security
      technology:
        - nginx
      confidence: MEDIUM
      owasp:
        - A07:2021 - Identification and Authentication Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication

Examples

request-host-used.conf

server {
  listen 80;

  location @app {
    # ruleid: request-host-used
    proxy_set_header Host $http_host;
    proxy_pass http://backend;
  }
}

server {
  listen 80;

  location @app {
    # ruleid: request-host-used
    proxy_set_header Host $host;
    proxy_pass http://backend;
  }
}