We are doing MDAST scan with Burpsuite for our angular application. We got errors in Host Header Injection and Cross-origin-resource-sharing. For accessing local images from dist http request is triggered by angular.
The request to http://x.x.x.x:9021/ksi.svg has host and referer header; it doesn't include origin header (this image is loaded from css content: url property). The request to http://x.x.x.x:9021/assets/images/pka.svg has only host header, but it doesn't include both origin and referer header (this image is loaded from <img src=''>).
Why is there this difference in headers?
Note:
/assets/images/ folder only.We are doing MDAST scan with Burpsuite for our angular application. We got errors in Host Header Injection and Cross-origin-resource-sharing. For accessing local images from dist http request is triggered by angular.
The request to http://x.x.x.x:9021/ksi.svg has host and referer header; it doesn't include origin header (this image is loaded from css content: url property). The request to http://x.x.x.x:9021/assets/images/pka.svg has only host header, but it doesn't include both origin and referer header (this image is loaded from <img src=''>).
Why is there this difference in headers?
Note:
/assets/images/ folder only.Your image doesn't set any referer header, most likely because its refererpolicy attribute is set to no-referer, same-origin or it's set at the default strict-origin-when-cross-origin. On referrerPolicy docs you can find what are the accepted values for it and what each one does.
To answer your title question, i.e. "how to prevent Host Header Injection", you can do several things, among which:
host header at all in server-side codeX- ones)There is a really good post by PortSwigger that explain this attck and its countermesuares.