Information Gathering - Web Edition Contents
Previous Section

Once DNS has directed traffic to the correct server, the configuration of the web server becomes imperative in determining how the incoming requests should be handled. Typical Web Servers (e.g. Apache, Nginx, or IIS) are designed to host multiple websites or applications on a single server. This is performed through virtual hosting which allows for differentiation between domains, subdomains or separate websites with distinct content from each other.

Virtual Hosting Theory - VHosts & Subdomains¶

VHosting or Virtual Hosting is the ability for a web server to distinguish websites or applications which are utilising the same IP Address. Each of these are differentiated by the HTTP Host request header, a key piece of information which is included in every HTTP/HTTPS request.

Difference between VHosts & Subdomains in DNS¶

• Subdomains (i.e. extensions of the main domain (e.g. example.com & blog.example.com) they typically include their own DNS records, which direct either back to the same IP address as the main domain or a different one. (Usually utilised to organise different sections or services of a website))
• Virtual Hosts (VHosts) (Virtual Hosts i.e. configurations made within a web server to allow multiple websites or applications to be hosted through a single server). Each VHost can have its own configuration, enabling precise control over request handling.

Virtual Hosts may not have a DNS record associated with it however, it can still be accessed by modifying the Hosts File to map a domain name to the IP address manually.

Example of Virtual Host (Apache)¶

<VirtualHost *:80>
    ServerName www.domain1.com
    DocumentRoot /var/www/example1
</VirtualHost>

<VirtualHost *80>
    ServerName www.domain2.org
    DocumentRoot /var/www/example2
</VirtualHost>

<VirtualHost *80>
    ServerName www.domain3.net
    DocumentRoot /var/www/example3
</VirtualHost>

The domains in the example above domain1.com, domain2.org, and domain3.net are all distinct domains from each other however, they are all hosted on the same server.

The Host Request Header indicates to the web server to return the correct website, and its content based on the request domain name.

Server VHost Lookup¶

sequenceDiagram
title: Web Server Determining Virtual Host from Request
participant B as Browser
participant WS as Web Server
participant VH as Virtual Host Configuration
participant DR as Document Root

B ->> WS: HTTP Request
WS ->> WS: Examine Host Header for Domain
WS ->> VH: Find Matching Domain in Configuration
VH -->> WS: Return Document Root
WS ->> DR: Retrieve Files & Resources
DR -->> WS: Return Files & Resources
WS -->> B: HTTP Response
B ->> B: Render Content for User

Browser Requests a Website¶

A domain is entered and a HTTP request is sent to the web server with that associated domain's IP address based on the bosts file or DNS resolution.

Host Header Reveals the Domain¶

The browser includes the domain name in the Host Header which acts as a label indicating the domain being requested.

Web Server Determines the Virtual Host¶

The web server receives the request, proceeds to examine the Host header for the requested domain, checking it's configuration for the corresponding virtual host.

Serving the Right Content¶

Upon identifying the correct virtual host the web server proceeds to retrieve, and return the relevant domain's files and resources.

The Host Header acts like a switch, indicating the relevant domain and allowing the web server to dynamically determine which website to return based on the domain.

Three Primary Types of Virtual Hosting¶

Name-Based¶

Name-Based virtual hosting is the method which relies solely on the HTTP Host header to deduce between website based on domain. Most common and flexible method, as it does not require multiple IP addresses to function, therefore making it the more cost-effective method, due to it's easy to set up, and supports most modern web browsers.

Name-Based Virtual Hosting is relevant on the HTTP Request Host Header (introduced in HTTP/1.1) being required for Name-Based VHosting.

IP-Based¶

IP-Based virtual hosting is a type of hosting which assigns a unique IP address to each website hosted on the server as a result, the server is able to determine which website to provide in response, based on the IP address the request was initiated to.

Unlike Name-Based VHosting IP-Based does not rely on the Host Header, can be utilised with any protocol, and therefore offers better isolation between sites.

The downside to this type of virtual hosting is that it still requires multiple IP addresses, which can be expensive and less scalable, unlike Name-Based which is reliant on the HTTP/1.1 protocol, IP-Based VHosting works through any protocol making it a flexible choice for a server hosting multiple services. (e.g. HTTPS, FTP, SMTP, etc)

Port-Based¶

Different websites are associated with different ports on the same IP address. i.e. port 80 may host one website, while another is accessible on port 8080.

Port-Based Virtual Hosting is typically used when IP addresses are limited, but it is not as common or user-friendly as Name-Based VHosting and might require users to specify port numbers in URLs which may be unfamiliar with the typical user.

Virtual Host Discovery Tools¶

Manual analysis of HTTP headers, and reverse DNS lookups can be effective in discovering vhosts tools exist which automate and streamline the process, making it more efficient and comprehensive as these tools employ a variety of techniques to probe the target server and uncover potential virtual hosts.

Wordlist Preparation - Prepare a wordlist containing potential virtual host names. (e.g. pre-complied wordlist)