Menu

Saturday 11 July 2020

HTTP Host Header Injection (Apache and IBM HTTP SERVER- IHS)


  • To mitigate host header poisoning/attack kindly make sure.
  • Use the hostname instead of IP address in the header.
  • Can refuse a request if it doesn't have the desired or expected host header. 
  • For this, Add initial RewriteCond/RewriteRule pair to confirm the HOST requested is ABCDEF.com and error if not.
  • To restrict add below lines between <VirtualHost :443> OR  <VirtualHost :80>  


File Name : httpd-ssl.conf  OR ssl.conf
*************************************************************

LoadModule rewrite_module modules/mod_rewrite.so

<VirtualHost :443>

    ServerName ABCDEF
    RewriteEngine on
    RewriteCond %{HTTP_HOST} !^www.abcdef.com [NC]
    RewriteCond %{HTTP_HOST} !^(www.abcdef.com|abcdef.com)$ [NC]
    RewriteCond %{REQUEST_URI} !^/error [NC]
    RewriteRule ^.(.*) - [L,F]
</VirtualHost>

*************************************************************


 ## Restrict the Use of IP address  in URL to access application.

File Name : httpd-ssl.conf  OR ssl.conf
*************************************************************
<VirtualHost :443>

 ServerName ABCDEF.com
  ServerAlias www.ABCDEF.com

 #UseCanonicalName will use the hostname and port specified in the ServerName or ServerAlias

 UseCanonicalName On   


  # Restrict the Use of IP adderss in URL
  SetEnvIf Host "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" HostHeaderIsIP=1
  RewriteEngine on
  RewriteCond %{ENV:HostHeaderIsIP} 1
  RewriteRule .* - [F]


</VirtualHost>

*************************************************************

Thanks 😊

No comments:

Post a Comment