Pradeep,
On 9/10/21 06:19, Pradeep wrote:
Hi Team,
I need your help to fix HTTP Host header attacks.
I'm currently in the process of trying to fix a site vulnerability,
basically it is one type of the "Improper Input Handling" attack.
Let's say my website is www.mywebsite.com and there is hacker's website
www.hacker.com
Whenever there is a request send to www.mywebsite.com with modified "Host"
header point to www.hacker.com, my site will create a redirect to
www.mywebsite.com along with whatever the url it was. e.g.
*Normal:*
Host: www.mywebsite.com
GET www.mywebsite.com/get/some/resources/
Reponse 200 ok
*Hack:*Host: www.hacker.com (#been manually modified)
GET www.mywebsite.com/get/some/resources/
Response 302
Send another Redirect to www.hacker.com/get/some/resources
I have found this configuration below for tomcat (my application using
Tomcat7) is this works for case? Also I have some existing Host name in
server.xml not sure how to incorporate both Host configuration, please help
me on this.
*Solution I found :*
<Host name="defaultlocalhost" appbase="whatever" >
</Host>
*My tomcat existing Host configuration:*
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
I'm not sure why the above configuration would change anything. Can you
explain?
Please note that the "attacker" in this situation can only attack
himself. Injecting/modifying a header into an HTTP request can only be
done if the attacker is in a MitM position, which should not be possible
when using HTTPS. If using HTTP, then you are on your own and this
attack is trivial.
Assuming there is no MitM, it is challenging to cause another client to
use a header of the attacker's choosing.
Unless this is simply an academic question.
I always use Tomcat configured with a "default" <Host>, but I suspect
there may be a way to force Tomcat to treat a request as invalid if the
Host header doesn't match the name (or alias) of any <Host> configured.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
