Qualys WAS now includes a new Information Gathered QID, 150142, for Virtual Host Discovery using HOST headers in HTTP(s) requests.
Web servers commonly serve multiple applications, configured as virtual hosts. A request for www.example.com, for instance, to a server configured in this way will respond with a different application than will a request to the same server for m.example.com. It is critical that virtual hosts be known and evaluated for security problems to help prevent them from becoming an unknown attack surface.
Servers running virtual hosts are commonly found, and do not always indicate a security problem or concern. However, unknown virtual hosts provide attack surfaces that may be unprotected, so it is important to enumerate all virtual hosts on a given server to ensure complete and proper cataloging of web applications. Additionally, while virtual hosts are common, in some cases they may represent server misconfigurations that can be easily remedied.
Our WAS detection technique:
The Qualys WAS scanner will first connect to the base URI (the application a user has defined as their application of interest). Once a connection is established, the scanner will reference a table of commonly used virtual host names (www.; demo.; m.; dev.; staging.; webmail.; etc. - this list is maintained by Qualys and currently contains more than 40 common hostnames). Using this table, the WAS scanner will send a request to the application with a HOST header of the common virtual host name, and will iterate through this list of common names. In the event that a virtual host responds with significantly different content than the base URI, the Qualys WAS scanner will note the difference in "Information Gathered" QID 150142 as the presence of a virtual host.
Known (and expected) virtual hosts need not be mitigated. They should, however, be added to Qualys WAS as applications to be scanned as a component of an application risk management strategy. Unknown virtual hosts, however, should be researched; disabled if they prove to be unnecessary, or added to the list of known and expected virtual hosts to be included in an application scanning program.