Saturday 11 July 2020

Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4)

  • To mitigate host header poisoning/attack kindly make sure.
  • Use the hostname instead of IP address in the header.
  • Can refuse a request if it doesn't have the desired or expected host header. 
  • For this, Add initial RewriteCond/RewriteRule pair to confirm the HOST requested is and error if not.
  • To restrict add below lines between <VirtualHost :443> OR  <VirtualHost :80>  

File Name : httpd-ssl.conf  OR ssl.conf

LoadModule rewrite_module modules/

<VirtualHost *:443>

  ### UseCanonicalName On Apache httpd will use the hostname and port specified in the ServerName or ServerAlias
  UseCanonicalName On 
  ## Restrict the Use of IP adderss in URL
  SetEnvIf Host "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" HostHeaderIsIP=1
  RewriteEngine on
  RewriteCond %{ENV:HostHeaderIsIP} 1
  RewriteRule .* - [F]

  ## HTTP Host Header Injection
  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^ [NC]
  RewriteCond %{HTTP_HOST} !^(|$ [NC]
  RewriteRule .* - [F]


To check,  use below curl command as per your application URI:-
  • curl -H "Host:" http://localhost/
  • curl -i -s -k -X $'GET' -H $'Host:' $''

Thanks 😊

No comments:

Post a Comment