Hi Chris,
My application is HTTPS not HTTP and now one of the application security
platforms WhitHatSec raised this vulnerability issue. I tried the above
configuration mentioned but no luck but this configuration advised in
Apache website
http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters
to filter Host Header. I understand this is trivial but I have to fix and I
think I should handle it in the application server Tomcat7.
I tried the below configuration but still validation is not working, it's
still redirecting other Host Headers. Please let me know what else
configuration I can try,
<Host name="defaultlocalhost" appbase="whatever">
<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*\.myapplication1\.com|.*\myapplication2\.com"/>
</Host>
Regards,
Pradeep
On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Pradeep,
>
> On 9/10/21 06:19, Pradeep wrote:
> > Hi Team,
> >
> > I need your help to fix HTTP Host header attacks.
> > I'm currently in the process of trying to fix a site vulnerability,
> > basically it is one type of the "Improper Input Handling" attack.
> >
> > Let's say my website is www.mywebsite.com and there is hacker's website
> > www.hacker.com
> > Whenever there is a request send to www.mywebsite.com with modified
> "Host"
> > header point to www.hacker.com, my site will create a redirect to
> > www.mywebsite.com along with whatever the url it was. e.g.
> >
> >
> > *Normal:*
> > Host: www.mywebsite.com
> > GET www.mywebsite.com/get/some/resources/
> > Reponse 200 ok
> >
> >
> > *Hack:*Host: www.hacker.com (#been manually modified)
> > GET www.mywebsite.com/get/some/resources/
> > Response 302
> > Send another Redirect to www.hacker.com/get/some/resources
> >
> > I have found this configuration below for tomcat (my application using
> > Tomcat7) is this works for case? Also I have some existing Host name in
> > server.xml not sure how to incorporate both Host configuration, please
> help
> > me on this.
> >
> > *Solution I found :*
> >
> > <Host name="defaultlocalhost" appbase="whatever" >
> > </Host>
> >
> > *My tomcat existing Host configuration:*
> > <Host name="localhost" appBase="webapps"
> > unpackWARs="true" autoDeploy="true">
>
> I'm not sure why the above configuration would change anything. Can you
> explain?
>
> Please note that the "attacker" in this situation can only attack
> himself. Injecting/modifying a header into an HTTP request can only be
> done if the attacker is in a MitM position, which should not be possible
> when using HTTPS. If using HTTP, then you are on your own and this
> attack is trivial.
>
> Assuming there is no MitM, it is challenging to cause another client to
> use a header of the attacker's choosing.
>
> Unless this is simply an academic question.
>
> I always use Tomcat configured with a "default" <Host>, but I suspect
> there may be a way to force Tomcat to treat a request as invalid if the
> Host header doesn't match the name (or alias) of any <Host> configured.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
--
Regards
Pradeep
