Thursday, February 16, 2017

OHS: Host Header Injection

Recently we identified an issue with one of our application URL's. Issue is that, URL is vulnerable to Host Header Injection i.e. by supplying a malicious host header, its possible to modify the links generated in application or any other components(mail etc).

For example, if your application URL is 'abc.xyz.com', a hacker can alter the HOST parameter in the client request header to 'hack.url.com'.

Fix: To avoid this, add RewriteCond & RewriteRule conditions inside VirtualHost as mentioned below to reject anything that doesn't match the target domain.

httpd.conf:

<VirtualHost *:7004>
    ServerName abc.xyz.com
    ServerAlias abc.xyz.com
    RewriteEngine on
    RewriteOptions inherit
    RewriteCond %{HTTP_HOST} ^abc.xyz.com
    RewriteRule ^(.*)$ - [F,L]
</VirtualHost>

1 comment:

Provide your thoughts !