Menu

Saturday, 11 July 2020

Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4)


  • To mitigate host header poisoning/attack kindly make sure.
  • Use the hostname instead of IP address in the header.
  • Can refuse a request if it doesn't have the desired or expected host header. 
  • For this, Add initial RewriteCond/RewriteRule pair to confirm the HOST requested is ABCDEF.com and error if not.
  • To restrict add below lines between <VirtualHost :443> OR  <VirtualHost :80>  



File Name : httpd-ssl.conf  OR ssl.conf
*************************************************************

LoadModule rewrite_module modules/mod_rewrite.so

<VirtualHost *:443>

  ServerName ABCDEF.com
  ServerAlias www.ABCDEF.com
  
  ### UseCanonicalName On Apache httpd will use the hostname and port specified in the ServerName or ServerAlias
  UseCanonicalName On 
  
  ## Restrict the Use of IP adderss in URL
  SetEnvIf Host "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" HostHeaderIsIP=1
  RewriteEngine on
  RewriteCond %{ENV:HostHeaderIsIP} 1
  RewriteRule .* - [F]
  

  ## HTTP Host Header Injection
  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^www.abcdef.com [NC]
  RewriteCond %{HTTP_HOST} !^(www.abcdef.com|abcdef.com)$ [NC]
  RewriteRule .* - [F]

  </VirtualHost>
  
****************************************************************


To check,  use below curl command as per your application URI:-
  • curl -H "Host: www.example.com" http://localhost/
  • curl -i -s -k -X $'GET' -H $'Host: wwww.example.com' $'https://www.abcdef.com/app/web/acess'

Thanks 😊


No comments:

Post a Comment