On 29/08/2023 08:00, Bhavesh Mistry wrote:
Hi Mark,
I am sorry for delayed response.
Basically, when request url does not match host header then I would reject
it. For example,
curl -vvvv -k "https://www.mydomain.com/login"; -H 'Host:
attackerHostHeaderInjection.com'
Why? What problem are you trying to solve?
Based curl -vvv output, tomcat server does not know host name used
www.mydomain.com but Host header is attackerHostHeaderInjection.com.
In this case I would like to reject request send 403 or 404. As you
explained that request Line does not have Full URL, allowHostHeaderMismatch
will not reject.
So my idea is using SNI I could get hostname and compare with HOST header
or :authority and reject it.
Is it possible to request new feature on Tomcat to get or expose SNI name
used by client?
That is certainly possible. How likely it is to get implemented depends
on the justification.
See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
