Home > Software design >  Firebase / React - Prevent Host Header attack
Firebase / React - Prevent Host Header attack

Time:03-15

I am working to remedy some security vulnerabilities from a penetration test. The vulnerability in question is a "Web Server Vulnerable to HTTP Host Header Attack" with a recommendation of "...the Host request header is user specified and shouldn't be trusted. Ensure that strict white listing is used to validate the Host header."

I am currently using React.js as my frontend frame work and Firebase for Functions (Node.js), Hosting, Authentication, Storage and Analytics. I am not understanding from my general internet search where or even what I should be changing to remedy this vulnerability? I am gathering that I may be using code in my server calls that is using the raw "HOST" variable, but I don't see anywhere in my code this is accessed explicitly. I do have an functions.https.onCall() function, which is maybe using the HOST internally. Obviously have many onCreate(), onUpdate(), etc calls. Maybe it is another function or library I am using behind the scenes?

What is the solution to prevent host header attacks on Firebase?

Firebase Functions package.json:

{
  "name": "functions",
  "scripts": {
    "lint": "tslint --project tsconfig.json",
    "build": "tsc",
    "serve": "npm run build && firebase emulators:start --only functions",
    "shell": "npm run build && firebase functions:shell",
    "start": "npm run shell",
    "deploy": "firebase deploy --only functions",
    "logs": "firebase functions:log"
  },
  "engines": {
    "node": "10"
  },
  "main": "lib/index.js",
  "dependencies": {
    "@google-cloud/firestore": "^4.10.0",
    "@sendgrid/mail": "^7.4.7",
    "@types/nodemailer": "^6.4.0",
    "@types/uuid": "^8.3.0",
    "firebase-admin": "^9.5.0",
    "firebase-functions": "^3.16.0",
    "order-id": "^2.1.1",
    "papaparse": "^5.3.0",
    "request": "^2.88.2",
    "uuid": "^8.3.2"
  },
  "devDependencies": {
    "firebase-functions-test": "^0.2.3",
    "tslint": "^5.12.0",
    "typescript": "^3.9.9"
  },
  "private": true
}

CodePudding user response:

If you are using Firebase Hosting, the report it likely referring to the fact that the Host header is used to route requests to the appropriate site. This is working as intended -- since Firebase Hosting is a multi-tenant service, the Host header provides necessary information to disambiguate between sites.

No action should be necessary on your part - Firebase already carefully validates the header against known sites.

  • Related