Home > Blockchain >  Prevent Host Header Injection / Redirection in Google Kubernetes Engine ( GKE ) Ingress / FrontendCo
Prevent Host Header Injection / Redirection in Google Kubernetes Engine ( GKE ) Ingress / FrontendCo

Time:02-21

I have a k8s deployment which is using Cloud DNS And Managed Certificate ( for SSL ) along with the k8s service.

I have configured HTTP to HTTPS according to this GKE documentation

Which works perfectly fine and redirects my HTTP requests to HTTPS website.

Now when I am testing the vulnerability for HOST HEADER INJECTION using following command from CMD,

curl http://staging.mysite.com --header 'Host: malicious.com'

I am getting the response like below

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://malicious.com/">here</A>.
</BODY></HTML>

To mention, my application is built on angular 11, and I am using Nginx to serve the app after building.

Here's my Ingress & Frontend Config & Managed Cert Config

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
    name: ssl-redirect
spec:
    redirectToHttps:
        enabled: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: staging-service-ingress
    annotations:
        kubernetes.io/ingress.global-static-ip-name: staging-global-ip
        networking.gke.io/managed-certificate: staging-cert
        networking.gke.io/v1beta1.FrontendConfig: ssl-redirect
spec:
    defaultBackend:
        service:
            name: web-staging-service
            port:
                number: 80
    rules:
        - host: staging.mysite.com
          http:
              paths:
                  -   backend:
                          service:
                              name: web-staging-service
                              port:
                                  number: 80
                      pathType: ImplementationSpecific
                      path: /*
---
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
    name: staging-cert
spec:
    domains:
        - staging.mysite.com

Here's my Nginx config

worker_processes 4;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events { worker_connections 1024; }

http {
    server {
        listen       80;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
        ssl_prefer_server_ciphers on;
        server_tokens off;

        server_name *.mysite.com, mysite.com;

        types {
            module js;
        }

        sendfile on;
        include       /etc/nginx/mime.types;

        gzip on;
        gzip_http_version 1.1;
        gzip_disable      "MSIE [1-6]\.";
        gzip_min_length   256;
        gzip_vary         on;
        gzip_proxied      expired no-cache no-store private auth;
        gzip_types        text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml rss text/javascript;
        gzip_comp_level   9;

        location / {
            root   /usr/share/nginx/html;
            try_files $uri $uri/ /index.html;
            index  index.html index.htm;
        }

        error_page   404 500 502 503 504  /404.html;
        location = /404.html {
            root   /usr/share/nginx/html;
        }

    }
    add_header Strict-Transport-Security "max-age=31536000;" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Frame-Options sameorigin always;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy 'origin';
    add_header Content-Security-Policy "some rules";
    add_header Permissions-Policy "some rules";
}

I am not finding any right way to prevent the injection. The application works otherwise perfectly with the current configuration.

Please help me with a proper solution to prevent the HOST HEADER INJECTION

CodePudding user response:

GCP provides protection from these types of attacks via Cloud Armor. Cloud Armor has built-in WAF policies which support protection from protocol attacks such as HTTP header injection.

You'll first need to configure your Cloud Armor policy and then you can associate it with a BackendConfig attached to the backend Kubernetes Service ("web-staging-service") used by your Ingress resource.

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: cloud-armor
spec:
  securityPolicy:
    name: "waf-security-policy"

CodePudding user response:

The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/

Page link:https//www.codepudding.com/Blockchain/309309.html

Prev:NGINX and SPRINGBOOT in DOCKER container GOT 502 Bad Gateway
Next:There is an Error in tkinter python GUI. How to fix it?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding