Hi Mark, > curl -vvvv -k "https://www.mydomain.com/login"; -H 'Host: > attackerHostHeaderInjection.com'
*Why? What problem are you trying to solve?* Host Header injection is a vulnerability that needs to be addressed., I am trying to solve if the host is a mismatch between the HOST ( or Authority) header because links are generated based on the host headers. For now only way to prevent it is to have a set of allowed hosts and check against this list. Should I update the bug to provide SNI information for the request or should I file another request ? See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353 3) I tried following but again curl -vvvv shows it never sent www.mydomain.com <https://www.mydomain.com/login> since it only used to reach the IP. (This is what Thomas Hoffmann mentioned). https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack Thanks for your help so far. Thanks, Bhavesh On Tue, Aug 29, 2023 at 1:16 PM Mark Thomas <ma...@apache.org> wrote: > On 29/08/2023 08:00, Bhavesh Mistry wrote: > > Hi Mark, > > > > I am sorry for delayed response. > > > > Basically, when request url does not match host header then I would > reject > > it. For example, > > > > curl -vvvv -k "https://www.mydomain.com/login"; -H 'Host: > > attackerHostHeaderInjection.com' > > Why? What problem are you trying to solve? > > > > Based curl -vvv output, tomcat server does not know host name used > > www.mydomain.com but Host header is attackerHostHeaderInjection.com. > > > > In this case I would like to reject request send 403 or 404. As you > > explained that request Line does not have Full URL, > allowHostHeaderMismatch > > will not reject. > > > > So my idea is using SNI I could get hostname and compare with HOST header > > or :authority and reject it. > > > > Is it possible to request new feature on Tomcat to get or expose SNI name > > used by client? > > That is certainly possible. How likely it is to get implemented depends > on the justification. > > See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353 > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
