- To mitigate host header poisoning/attack kindly make sure.
- Use the hostname instead of IP address in the header.
- Can refuse a request if it doesn't have the desired or expected host header.
- For this, Add initial RewriteCond/RewriteRule pair to confirm the HOST requested is ABCDEF.com and error if not.
- To restrict add below lines between <VirtualHost :443> OR <VirtualHost :80>
File Name : httpd-ssl.conf OR ssl.conf
*************************************************************
LoadModule rewrite_module modules/mod_rewrite.so
<VirtualHost *:443>
ServerName ABCDEF.com
ServerAlias www.ABCDEF.com
### UseCanonicalName On Apache httpd will use the hostname and port specified in the ServerName or ServerAlias
UseCanonicalName On
## Restrict the Use of IP adderss in URL
SetEnvIf Host "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" HostHeaderIsIP=1
RewriteEngine on
RewriteCond %{ENV:HostHeaderIsIP} 1
RewriteRule .* - [F]
## HTTP Host Header Injection
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.abcdef.com [NC]
RewriteCond %{HTTP_HOST} !^(www.abcdef.com|abcdef.com)$ [NC]
RewriteRule .* - [F]
</VirtualHost>
****************************************************************
To check, use below curl command as per your application URI:-
- curl -H "Host: www.example.com" http://localhost/
- curl -i -s -k -X $'GET' -H $'Host: wwww.example.com' $'https://www.abcdef.com/app/web/acess'
Thanks 😊
No comments:
Post a Comment