HOST header manipulation

[mhellman () taxandfinance com]

I'm reviewing the authentication process of a web application.  It appears
there is a reverse proxy in front of the app that utilizes an auth
framework.  A request for a URL protected by the reverse proxy results in
multiple redirects that eventually return a login form. The original URL
is persisted first in the redirect URL and then in a cookie.  After
authentication, a redirect to the original URL occurs based on the
provided cookie value. Let's assume for now that the URL and cookie issues
are fixed and the original URL is persisted by some other means (maybe a
session...assume this is done right...no fixation or other issues).  I
digress...here is my question:

If the issue is that the reverse proxy will accept any HOST header and
persist it through the login such that the final redirect can go anywhere.
 How might an attacker get a victim to submit a request with a crafted
HOST header? XHR? Flash? Java?

TIA





-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? 
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------