Configure "Host:" header when scanning web applications

Scanning / scan configuration
1

Hi everyone.

Using Greenbone Community on Debian 12, it works really fine, except for one problem though.

I know Greenbone is not a web application vulnerability scanner per-se, but some checks can be done on those, and are present in the scan settings.

In my targets, i have two domain names, examplecom and apiexamplecom, pointing to the same reverse proxy. They resolve fine : all tests can be completed.

Thing is : when doing HTTP request to scan a web app, the agent does not use any “Host: examplecom”. Thing is, depending on what you have up front as reverse proxy (let’s say Apache, Nginx or as i have, HAProxy), you can’t scan ALL web applications, as the reverse proxy routes the query to one and only one, or even none, responding 503 (which is my case).

This is not a problem of HAProxy (or a WAF intercepting requests). Everything routes fine, except Greenbone agents.

So now my question : is it possible to configure scans to use the target domain as “Host: ” ?

Thanks a lot in advance.

2

Hello,

and welcome to this community forum.

AFAICT there is no such setting and none should be required. The scanner will add the hostname to the Host header automatically if one or more of these applies:

  1. The hostname was passed to the target definition of the scan task
  2. Only an IP was passed to the target definition and the scanner is able to resolve the IP to a hostname
  3. Additional hostnames could be gathered during the scan from e.g. SSL/TLS certificates

A prerequisite is that the scanner preference expand_vhosts is set to yes.

There might be special cases where either no Host header is passed at all or only an IP is included:

  1. For service detection / probes
  2. The VT in question had modified the HTTP request for checking a specific flaw / vulnerability (e.g. an authentication bypass by modifying the Host header)
  3. Aged/old VTs (from e.g. pre2008) which are crafting their own HTTP headers instead of using more “modern” functions handling the Hostname addition
    • Usually these shouldn’t be a big problem and are getting updated from time to time during maintenance works to use more standard functions from the scanner
2 Likes
3

Hi, and thanks for the answer.
I’m gonna try again, not sure expend_vhosts is yes on my scan configuration. Will check that.
As far as I can tell, targets are FQDNs, so the item 1. of your list seems to be OK in my target configuration. Since it is a reverse proxy with TLS and a certificate, item 3. should work as well.

And noted for the exception list.

I’ll try again, and mark as a solution if it solves my problem.

Thank you very much for your answer and have a nice day :slight_smile:

1 Like