Hi Chris, My application is HTTPS not HTTP and now one of the application security platforms WhitHatSec raised this vulnerability issue. I tried the above configuration mentioned but no luck but this configuration advised in Apache website http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters to filter Host Header. I understand this is trivial but I have to fix and I think I should handle it in the application server Tomcat7.
I tried the below configuration but still validation is not working, it's still redirecting other Host Headers. Please let me know what else configuration I can try, <Host name="defaultlocalhost" appbase="whatever"> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=".*\.myapplication1\.com|.*\myapplication2\.com"/> </Host> Regards, Pradeep On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Pradeep, > > On 9/10/21 06:19, Pradeep wrote: > > Hi Team, > > > > I need your help to fix HTTP Host header attacks. > > I'm currently in the process of trying to fix a site vulnerability, > > basically it is one type of the "Improper Input Handling" attack. > > > > Let's say my website is www.mywebsite.com and there is hacker's website > > www.hacker.com > > Whenever there is a request send to www.mywebsite.com with modified > "Host" > > header point to www.hacker.com, my site will create a redirect to > > www.mywebsite.com along with whatever the url it was. e.g. > > > > > > *Normal:* > > Host: www.mywebsite.com > > GET www.mywebsite.com/get/some/resources/ > > Reponse 200 ok > > > > > > *Hack:*Host: www.hacker.com (#been manually modified) > > GET www.mywebsite.com/get/some/resources/ > > Response 302 > > Send another Redirect to www.hacker.com/get/some/resources > > > > I have found this configuration below for tomcat (my application using > > Tomcat7) is this works for case? Also I have some existing Host name in > > server.xml not sure how to incorporate both Host configuration, please > help > > me on this. > > > > *Solution I found :* > > > > <Host name="defaultlocalhost" appbase="whatever" > > > </Host> > > > > *My tomcat existing Host configuration:* > > <Host name="localhost" appBase="webapps" > > unpackWARs="true" autoDeploy="true"> > > I'm not sure why the above configuration would change anything. Can you > explain? > > Please note that the "attacker" in this situation can only attack > himself. Injecting/modifying a header into an HTTP request can only be > done if the attacker is in a MitM position, which should not be possible > when using HTTPS. If using HTTP, then you are on your own and this > attack is trivial. > > Assuming there is no MitM, it is challenging to cause another client to > use a header of the attacker's choosing. > > Unless this is simply an academic question. > > I always use Tomcat configured with a "default" <Host>, but I suspect > there may be a way to force Tomcat to treat a request as invalid if the > Host header doesn't match the name (or alias) of any <Host> configured. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Pradeep