Hi there, ________________________________________________________________________________ Server Specs: Server version: Apache Tomcat/7.0.54 Server built: May 19 2014 10:26:15 Server number: 7.0.54.0 OS Name: Windows Server 2012 OS Version: 6.2 Architecture: amd64 JVM Version: 1.8.0_121-b13 JVM Vendor: Oracle Corporation ________________________________________________________________________________
I'm currently on the process of trying fix a site vulnerability, basically it is one type of the "Improper Input Handling" attack. Let's say my website is www.mywebsite.com and there is hacker's website www.hacker.com whenever there is a request send to www.mywebsite.com with modified "Host" header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along with whatever the url it was. e.g. Normal: Host: www.mywebsite.com GET www.mywebsite.com/get/some/resources/ Response 200 ok Hack: Host: www.hacker.com (#been manually modified) GET www.mywebsite.com/get/some/resources/ Response 302 Send another Redirect to www.hacker.com/get/some/resources My website is running on Tomcat 7, I tried some solution with set up the virtual host by point the unknown host to a defaultlocalhost which supposed to do nothing. but it still send the redirect for some reason. Here attached is my server.xml host configure: ________________________________________________________________________________ <Engine name="Catalina" defaultHost="defaultlocalhost" jvmRoute="jvm1"> <Host name="www.mywebsite.com" appBase="webapps" unpackWARs="true" autoDeploy="false" deployOnStartup="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> <Host name="defaultlocalhost" > </Host> ________________________________________________________________________________ So, my question is, Am I on the right track to prevent this kind of attack ? If yes, what I did wrong that still not working? (The ultimate goal is, if it is not the legit Host that been passed in, the request should be discard/ignored/return 404 but not redirect with 302) Thank you in advance. More references about the attack here : http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling Original Post on stackoverflow: https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack Charles Cai | Web Application Developer | RIDGID Emerson Commercial & Residential Solutions | charles....@emerson.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org