Logo

Armand.nz

Home / About / Linkedin / Github

curl-ing things

#curl |

Spoof the host header

By sending a different Host header in the request, you can make curl provide a request to a specific server or application

If you run your test HTTP application bound to “example.com” on localhost and want to verify that it works, you could use the curl command that adds the expected host header

curl --header "Host: example.com" http://127.0.0.1/

Spoof the host header better

Nowadays, we use HTTPS everywhere, and simply faking the Host header is insufficient. In addition to the Host header, an HTTPS server must receive the server name provided during the TLS handshake, which is included in the SNI field. To determine which certificate to use, the server must know the name. The server certificate is generally not registered for an IP address, so curl must also know the correct hostname to validate the server certificate against. In both cases, curl extracts the name to use from the provided URL.

To make this work, we can’t simply use the IP address in the URL. Instead, we can use the --resolve command line option and give curl the correct URL but with a customized IP address for the hostname that we have set.

curl --resolve example.com:443:127.0.0.1 https://example.com/

Connect to hostname by specific host

If you have a hostname that resolves to multiple front-end servers for the same site or service, you may want to issue a curl command to one specific server. In this case, the server you need to target is named “host-server1.example.com” and serves “example.com

You could resolve the hostname before curl is used and use --resolve as shown before or another option is to use the flag --connect-to, which replaces a hostname + port number pair with aother hostname + port number pair before resolving the name. This flag operates based on host names instead of IP addresses.

curl --connect-to example.com:443:host-server1.example.com:443 https://example.com/

Other combos: You can combine options like --resolve, --connect-to, and --header in a single command line to achieve complex behaviors, such as connecting to an HTTPS host with the correct name in SNI and certificate verification, but using a different host in the Host: header. phew.

Sure, you can connect to a locally running HTTPS host using the correct SNI and certificate verification names and still request a different host in the Host: header.

curl --resolve example.com:443:127.0.0.1 https://example.com/ --header "Host: somethingelse.example.com"
comments powered byDisqus

Copyright © Armand