Hi Mark,
Thanks for your help. We will go with validation against a known trusted
list host as you suggested. Also, I have updated
https://bz.apache.org/bugzilla/show_bug.cgi?id=64353 with reference to the
discussion.
As always, thanks for your wonderful support!
Thanks,
Bhavesh
On Tue, Aug
On 29/08/2023 21:51, Bhavesh Mistry wrote:
Hi Mark,
curl - -k "https://www.mydomain.com/login; -H 'Host:
attackerHostHeaderInjection.com'
*Why? What problem are you trying to solve?*
Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host
Hi Mark,
> curl - -k "https://www.mydomain.com/login; -H 'Host:
> attackerHostHeaderInjection.com'
*Why? What problem are you trying to solve?*
Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host is a mismatch between the HOST ( or
On 29/08/2023 08:00, Bhavesh Mistry wrote:
Hi Mark,
I am sorry for delayed response.
Basically, when request url does not match host header then I would reject
it. For example,
curl - -k "https://www.mydomain.com/login; -H 'Host:
attackerHostHeaderInjection.com'
Why? What problem are
Hi Mark,
I am sorry for delayed response.
Basically, when request url does not match host header then I would reject
it. For example,
curl - -k "https://www.mydomain.com/login; -H 'Host:
attackerHostHeaderInjection.com'
Based curl -vvv output, tomcat server does not know host name used
Tomcat doesn't expose the SNI information.
What problem are you trying to solve here?
Tomcat rejects requests with mis-matched host headers by default and can
be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't
need to write any extra code for this.
Mark
On 21/08/2023
>
>
> Hi Mark and Thomas,
>
>
>
> I understood now that Tomcat does not have information other than HOST
> (HTTP 1.1) and :authority: (HTTP2). So there is no way to check what URL
> used to connect and headers.
>
>
>
> I was wondering if TLS Handshake can provide *SNI can be used for this
>
Hello,
> -Ursprüngliche Nachricht-
> Von: Bhavesh Mistry
> Gesendet: Sonntag, 20. August 2023 04:09
> An: Tomcat Users List
> Betreff: Re: Tomcat 9 Connector config allowHostHeaderMismatch not
> working as expected
>
> Hi Mark,
>
> Thanks for your quick
Hi Mark,
Thanks for your quick reply. According to the spec, the Request line
three line: http method path and version. Basically, what I wanted to do
to is if the HOST header does not match the requested server name in the
URL then return 404 04 403.
Can you please help me how I can do this?
19 Aug 2023 19:46:56 Bhavesh Mistry :
Hi, Tomcat Dev team and Users,
I am trying to block the request and give 404 bad requests or 403 when
the
HOST header does not match the requested server name. My goal is to
block
whenever there is a mismatch in the host header and URL server name.
Hi, Tomcat Dev team and Users,
I am trying to block the request and give 404 bad requests or 403 when the
HOST header does not match the requested server name. My goal is to block
whenever there is a mismatch in the host header and URL server name.
I would appreciate your help.
curl - -k
11 matches
Mail list logo
