How to protect for Host Header Injection in Endpoints on AppEngine
539 views
Skip to first unread message
Alexandru Gogan
Jul 15, 2020, 3:40:43 PM7/15/20
to Google App Engine
Hi everyone,
I'm seeing some odd behaviour with App Engine Flex and Cloud Endpoints that might be prone to Host Header Injection.
If I send a request to the root domain of my API running on AppEngine Flex with Cloud Endpoints, with a specified HOST header, the content of the specified host is loaded as the content if the redirects are followed.
Request:
I'm seeing some odd behaviour with App Engine Flex and Cloud Endpoints that might be prone to Host Header Injection.
If I send a request to the root domain of my API running on AppEngine Flex with Cloud Endpoints, with a specified HOST header, the content of the specified host is loaded as the content if the redirects are followed.
Request:
GET / HTTP/1.1
Host: api.my-domain.com
HOST: evil.host.com
Response:
302 to resolved domain http://evil.host.com/some-evil-url.html
As far as I understood from the Endpoints Team, there is no way to configure the ESP to check the headers for the origin host and reject based on an allowed list or pattern.
With AppEngine Flex it would be the responsibility of the application to handle this.
However if the request is made against the root path, my application does not receive the request to handle it.
According to the documentation https://cloud.google.com/endpoints/docs/openapi/openapi-limitations#operations_on_url_root_path_
it is not possible to provide an implementation for the root path.
Are there any other ways to prevent this behaviour and protect against Host Header Injection?
Response:
302 to resolved domain http://evil.host.com/some-evil-url.html
As far as I understood from the Endpoints Team, there is no way to configure the ESP to check the headers for the origin host and reject based on an allowed list or pattern.
With AppEngine Flex it would be the responsibility of the application to handle this.
However if the request is made against the root path, my application does not receive the request to handle it.
According to the documentation https://cloud.google.com/endpoints/docs/openapi/openapi-limitations#operations_on_url_root_path_
it is not possible to provide an implementation for the root path.
Are there any other ways to prevent this behaviour and protect against Host Header Injection?
Alexis (Google Cloud Platform Support)
Jul 16, 2020, 3:25:25 PM7/16/20
to Google App Engine
Hello Alexandru,
Thank you for reporting this potential issue.
It would be preferable to post this type of issue directly with our engineering team. You mentioned "As far as I understood from the Endpoints Team"... And I'm wondering if you already did post that with them? I searched and couldn't find such a post in our system. The process on how to do it is listed here[1] and it shows you how to access that ticketing system to submit your issue.
Could you let me know if you've already created such an issue please? I don't want to create a duplicate. Then, we could follow-up with it.
Thank you.
Alexandru Gogan
Jul 16, 2020, 3:32:03 PM7/16/20
to Google App Engine
Hi Alexis,
thank you for redirecting me. I have not posted yet an issue through the ticketing system.
It was a discussion in the Endpoints Group (https://groups.google.com/g/google-cloud-endpoints/c/DXaGpejpXqo) but happy to file an issue to get some help looking into this.
Thanks a lot!
thank you for redirecting me. I have not posted yet an issue through the ticketing system.
It was a discussion in the Endpoints Group (https://groups.google.com/g/google-cloud-endpoints/c/DXaGpejpXqo) but happy to file an issue to get some help looking into this.
Thanks a lot!
VNT TUYEN NG
Jul 29, 2020, 1:07:50 PM7/29/20
to Google App Engine
how are you doing friend, please how can i creat a domain with host
Alexandru Gogan
Jul 29, 2020, 1:10:51 PM7/29/20
to Google App Engine
Hi there,
you can find some detailed guides on how to map a custom domain in the documentation [1]
[1] - https://cloud.google.com/appengine/docs/standard/python/mapping-custom-domains
you can find some detailed guides on how to map a custom domain in the documentation [1]
[1] - https://cloud.google.com/appengine/docs/standard/python/mapping-custom-domains
Reply all
Reply to author
Forward
0 new messages