I apologize, it looks like the screenshot I provided didn't come through, here are the details describing the problem:
Host Header Injection Severity: Low CVSS Score: 5.0 URL: https://example.domain.com/lgmm Entity: lgmm (Page) Risk: It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc. It is possible to deface the site content through web-cache poisoning Cause: Lack of input validation and sanitization Fix: Construct HTTP headers very carefully, avoiding the use of non-validated/unsanitized input data Difference: Header Host manipulated from: https://example.domain.com/lgmm to: appscanheaderinjection.com Reasoning: The value AppScan injected seems to be included in the response. Test Requests and Responses: GET /lgmm HTTP/1.1 Host: appscanheaderinjection.com Connection: keep-alive sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://example.domain.com/lgmm Accept-Language: en-US Cookie: _ga=GA1.3.1391786996.1665688780; _gid=GA1.3.367705640.1666623649; WASJSESSIONID=0000A4ALFyhmv7lv15hiAc5MRjO:1clm7f9nj; _gat=1; LtpaToken2=4cbGpnckNcEuOVjnLrtO77dS96v5jomlaNb0QiVW9K9Elp4dZUMwJ9l3ZdUxee6J5WnM1IJX+qfnqBA4Fw6vz753dxnxDb2uvdfb/utmXpiT8O0zVFS4rPCPviz3+NzaeEHYigRKdrCJcgFS8b7IFpklrPbq4byZUS9+Fojo7lqCoWuTzS4YCleCWrH1417WL83blA/CIcJQx9qRJ4PtPN/hK5gJuXY1IN6uRNvKbDKLtpEftuHEu4ldcDP9DrGBfLJS8CZ+Y3WIWxfyG78awGj7pM2c76rqkUxd/jYfFJJA4ja0M4tOh6tkOPqimE1wvSzirmFMcEEDP+Dd9yYfUp2j+ZE1wXysfWZbF9nUotTXqFl28ICw6FurFHSvVgV8nmliIp7LJt7PFG4HPp1Rdk3W5vR921uP3GjMAfkfwpwhzkqV5o8cZCBvJ3th6iTA9ClrZ/VCauBQi9MMmlENrJpkejh+jyQaE8HpuH1AvCBa6hOOyKoaumQpNncQqGQ7DcNHa47seKXzpXJeEJ66nNHmLuSWP1Cpap07p0FUGTFLK68Qp4BoqeoZJQke3BrzwHV9kAXhDEuDxigHJdz/iG9kLExE38SQfljvm0qAGGyzRH4LNpokc+JKVii/bCyI1mCzq+1bEXUMjt7KiXHCgH4v7AdL0Sdajkc9KQb5RLo= HTTP/1.1 302 Found Date: Fri, 28 Oct 2022 01:06:10 GMT X-Powered-By: Servlet/3.1 Location: https://appscanheaderinjection.com/lgmm/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Language: en-US X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload Jonathan Babie Java Applications Developer Work: (838) 910-4274 ________________________________ From: Jonathan P. Babie Sent: Monday, November 7, 2022 9:38 PM To: users@wicket.apache.org <users@wicket.apache.org> Subject: Host Header Injection Solution Hello, Our Wicket web application went through an app scan. We understand most problems that came back from the report and have solutions, but one that's troubling us is: [cid:f744744c-2d7a-4cd8-9179-ef02d9dc6ea4] I've omitted our URLs, but essentially it seems they were able to manipulate the hostname to a different url. Unfortunately we weren't given much context aside from this report. We assume that there are three avenues for us to resolve this: 1. Wicket configuration 2. Server configuration 3. Non-issue (if this problem is addressed with the framework itself and we don't need to worry about it) We did come across this filter that might be a solution: getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]")); Would adding this to our application resolve the above problem? If there's any information you could provide as to how we can address it, we would greatly appreciate it. Thank you, Jonathan Babie Java Applications Developer Work: (838) 910-4274 Personal: (518) 331-8758 Notice: This communication, including any attachments, is intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient, you are requested not to disclose, copy, distribute or take any action in reliance on the contents of this information.
