Thursday, February 16, 2017

OHS: Host Header Injection

Recently we identified an issue with one of our application URL's. Issue is that, URL is vulnerable to Host Header Injection i.e. by supplying a malicious host header, its possible to modify the links generated in application or any other components(mail etc).

For example, if your application URL is '', a hacker can alter the HOST parameter in the client request header to ''.

Fix: To avoid this, add RewriteCond & RewriteRule conditions inside VirtualHost as mentioned below to reject anything that doesn't match the target domain.


<VirtualHost *:7004>
    RewriteEngine on
    RewriteOptions inherit
    RewriteCond %{HTTP_HOST} ^
    RewriteRule ^(.*)$ - [F,L]

1 comment:

Provide your thoughts !