java Host Header attack

java header apache2 weblogic host
12,163

As far as I see, when the web or app server starts up it starts listening on a particular port of the machine. Which host name gets resolved to that particular machine is outside the knowledge of the web/app server. It depends on your network configurations. So there is no way the web/app server could validate that the hostname coming in the HTTP request is correct.

As you've mentioned you could keep in a configuration the expected hostname and write a servlet filter to validate all incoming requests do match that hostname.Othewise in apache webserver it self you could test if the correct hostname value is present in the header. Either way the correct hostname might be needed to be configured.

http://httpd.apache.org/docs/trunk/vhosts/name-based.html

Share:
12,163
Rahul B
Author by

Rahul B

Updated on June 26, 2022

Comments

  • Rahul B
    Rahul B almost 2 years

    I am working on "Host Header Injection" attack for one of my client. The issue is, using Burp Suite they are capturing the request and modifying the Host header as below. The application is Java Servlet and hosted on apache (web Server) + weblogic (App servers) Original request

    GET /myContext/testServlet?rq=home&tenId=123456 HTTP/1.1
Host: beta.testinglab.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

    Modified request

    GET /myContext/testServlet?rq=home&tenId=123456 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

    At Server side, even after modifying the "Host Header", request is submitted to "beta.testinglab.com" and when on server i use request.getRequestUrl() it gives me "www.google.com". Is there anyway to find out what was the original host that was requested. The request is making to correct host be internal redirection the issue.

    I can't maintain the predefined list of Host entries since this application is customized by lot many tenants.

    Is there any other way to fix this attack by changing configuration on Servers?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Java - DefaultHttpClient and "Host" header [Apache HttpComponent]
java.lang.NoSuchMethodError: javax.ws.rs.core.Application.getProperties()Ljava/util/Map; when deploying jersey ws to Weblogic
How to change the java version in weblogic 10.3 (10gR3)?
java.lang.NoClassDefFoundError: org/apache/cxf/jaxrs/impl/UriBuilderImpl
How to get UserName from java.sql.Connection?
Which JAR contains the weblogic.servlet.security.ServletAuthentication class?
Where could I find the log configuration file in Weblogic server?
Ignoring SSL validation in Java
EJB transaction rolled back exception
How to Spring Boot app run on weblogic 12C?