Ralph,
On 5/27/22 18:31, Ralph Atallah wrote:
I suspect that if we were to take the time to set up a proxy,
according to RFC7230, we would be able to get the absolute-form to
reach the Tomcat code and in that case, based on reading the
AbostractHttp11Processor class, I suspect the
Hi Chris,
I suspect that if we were to take the time to set up a proxy, according to
RFC7230, we would be able to get the absolute-form to reach the Tomcat code and
in that case, based on reading the AbostractHttp11Processor class, I suspect
the allowHostHeaderMismatch will kick in and will
Hi Mark,
Thank you for your help. It took some digging to fully understand the nuances
in your answers below. Here are some pointers to anyone who experiences the
same issue in the future and to whom these pointers might be helpful.
1. Although I had previously visited the link to the
Mark,
On 5/27/22 3:13 AM, Mark Thomas wrote:
On 27/05/2022 02:00, Ralph Atallah wrote:
Hi Mark,
Thanks again for the prompt response.
You wrote below: "If the original request only has a Host header,
then allowHostHeaderMismatch="false" isn't going to do anything
because there is no
On 27/05/2022 02:00, Ralph Atallah wrote:
Hi Mark,
Thanks again for the prompt response.
You wrote below: "If the original request only has a Host header, then allowHostHeaderMismatch="false"
isn't going to do anything because there is no mismatch.". I am not clear on what this means. What
Hi Mark,
Thanks again for the prompt response.
You wrote below: "If the original request only has a Host header, then
allowHostHeaderMismatch="false" isn't going to do anything because there is no
mismatch.". I am not clear on what this means. What should the match be
between? I thought
On 26/05/2022 14:29, Ralph Atallah wrote:
Hi Mark,
What we are trying to do is to prevent Host header attacks by ensuring that the host name
in the http request URL always matches the "Host" header in the request. If it
does not, we are supposed refuse the request and respond with 400 Bad
Hi Mark,
What we are trying to do is to prevent Host header attacks by ensuring that the
host name in the http request URL always matches the "Host" header in the
request. If it does not, we are supposed refuse the request and respond with
400 Bad Request as per OWASP recommendations. Here
On 26/05/2022 02:20, Ralph Atallah wrote:
Hi,
We use Tomcat 7.0.109 and Tomcat 8.5 in our Tomcat based webapp deployments and
we have a new requirement to prevent Host Header injection. The
allowHostHeaderMismatch option seems the perfect answer to this issue.
However, configuring it in
