Hosts
Seer Box uses the concept of host to uniquely identify the target application to which the request is directed, using the value of the Host header field taken from the HTTP request.
The enumeration of hosts associated with own web servers provided by Seer Box allows one to monitor and keep track of own asset. This process helps the organization prevent potential vulnerabilities on targets that are believed to be retired but still active, resolve any configuration issues, or optimize resources.
Host header and virtual hosting
The Host header field is a mandatory field in HTTP requests and is used to specify the address of the server to which the request is directed. This field is essential when a web server hosts multiple domains on a single IP address, as it allows the server to determine which domain was requested by the client.
The Host field consists of two parts: the host name and the port (if different from the default ports, 80 for HTTP or 443 for HTTPS). For example, if a client sends a request to www.example.com
, the Host field will be www.example.com
. If the request is sent to port 8080, the Host field will be www.example.com:8080
.
The process of matching the Host field with the domain exposed by the server is known as virtual hosting and is handled by different web servers using similar concepts, but depending on the specific type of server.
For this reason, Seer Box identifies the destination of the request using the Host header field: this makes the information independent of the type of web server, making the software more versatile.
Host management
The Host header field is a client-definable field in the HTTP request that may be vulnerable to attack attempts. Seer Box records and returns the value exactly as received in the request, providing a clear representation of the type of traffic reaching its services.
This feature may cause the user to see unfamiliar values that do not match any virtual hosts configured on their system. This is normal when a web service is exposed to the public and the web server handles it automatically. Detecting configuration errors or potential compromises is possible by enumerating these values and analyzing the associated traffic.
The hosts list is available on the Assets - Hosts
page of the Seer Box web interface.
The table displays two additional pieces of information for each item:
- Traffic sources: the traffic sources associated with requests for the specific host.
- Servers and ports: the IP address and port of the web servers that handled the requests for the specific host.
To improve your asset census, catalog the different hosts by utilizing domain groups as explained in the Domain groups section.