java Host Header attack

Question

I am working on "Host Header Injection" attack for one of my client. The issue is, using Burp Suite they are capturing the request and modifying the Host header as below. The application is Java Servlet and hosted on apache (web Server) + weblogic (App servers) Original request

GET /myContext/testServlet?rq=home&tenId=123456 HTTP/1.1
Host: beta.testinglab.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

Modified request

GET /myContext/testServlet?rq=home&tenId=123456 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

At Server side, even after modifying the "Host Header", request is submitted to "beta.testinglab.com" and when on server i use request.getRequestUrl() it gives me "www.google.com". Is there anyway to find out what was the original host that was requested. The request is making to correct host be internal redirection the issue.

I can't maintain the predefined list of Host entries since this application is customized by lot many tenants.

Is there any other way to fix this attack by changing configuration on Servers?

Answer 1

As far as I see, when the web or app server starts up it starts listening on a particular port of the machine. Which host name gets resolved to that particular machine is outside the knowledge of the web/app server. It depends on your network configurations. So there is no way the web/app server could validate that the hostname coming in the HTTP request is correct.

As you've mentioned you could keep in a configuration the expected hostname and write a servlet filter to validate all incoming requests do match that hostname.Othewise in apache webserver it self you could test if the correct hostname value is present in the header. Either way the correct hostname might be needed to be configured.

http://httpd.apache.org/docs/trunk/vhosts/name-based.html