Is it possible that they change the header for the "HTTP_HOST" while visiting or posting to our site, because that is what GetStoreHost(bool useSsl)
method uses in the WebHelper.cs to get the storeLocation.
So if that is possible, while the store cache is empty and those crawler visits our site, the storelocation being set by their host.
And it rarely happens so that kinda makes sense to me.
Is it possible? any idea?
method uses in the WebHelper.cs to get the storeLocation.
So if that is possible, while the store cache is empty and those crawler visits our site, the storelocation being set by their host.
And it rarely happens so that kinda makes sense to me.
Is it possible? any idea?
Yes it's possible, it's an example of cache poisoning as described in this article: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html. It's pretty easy to replicate:
1. Make sure the binding for the nop site in IIS has no hostname specified:
2. Use a browser extension like ModHeader for Chrome that allows you to modify the header values that are sent with the http request
3. Configure ModHeader to send a different string on the host variable
4. Browse to the nop website homepage (make sure it's the first request to the site so that the cache is empty). Whatever string you set in the host variable will be used in place of the actual hostname so you'll see lots of broken image links where it's used the modified host header to construct the absolute url for the image src (why do the image srcs need to use absolute urls anyway?)
5. Switch off the ModHeader profile and and refresh the page. The image links will still be broken since they've been cached using the absolute url generated with the fake host name. Clearing the cache or restarting the site will fix it.
This very simple example is easy to mitigate against, just make sure that the site bindings in IIS are setup with explicit host names so that IIS doesn't send the request to nop in the first place.
It would be interesting to know from anyone that's been affected by this how they have their IIS bindings setup.