Tomcat Virtual Host to prevent Improper-Input-Handling attack

Question

I'm currently on the process of trying fix a site vulnerability, basically it is one type of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along with whatever the url it was. e.g.

Normal:

Host: www.mywebsite.com 
GET  www.mywebsite.com/get/some/resources/
Reponse 200 ok

Hack:

Host: www.hacker.com (#been manually modified) 
GET  www.mywebsite.com/get/some/resources/
Response 302 
Send another Redirect to www.hacker.com/get/some/resources 

My website is running on Tomcat 7, I tried some solution with set up the virtual host by point the unknown host to a defaultlocalhost which suppose to do nothing. but it still send the redirect for some reason.

Here attached is my server.xml host configure:

<Engine name="Catalina" defaultHost="defaultlocalhost" jvmRoute="jvm1">  
<Host name="www.mywebsite.com"  appBase="webapps"
        unpackWARs="true" autoDeploy="false" deployOnStartup="true">

    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log." suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />
  </Host>

  <Host name="defaultlocalhost"  >

  </Host>

So, my question is, Am I on the right track to prevent this kind of attack ? If yes, what I did wrong that still not working? (The ultimate goal is, if it is not the legit Host that been passed in, the request should be discard/ignored/return 404 but not redirect with 302)

Thank you in advance.

More references about the attack here : http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling

Answer 1

Although it didn't exist at the time this question was asked, Tomcat 7.0.87 introduced a new property allowHostHeaderMismatch on the connector (cf. documentation). If you set it to false (default since Tomcat 9.0), Tomcat will return a 400 Bad Request error whenever the Host header does not match the request line:

<Connector port="8080" allowHostHeaderMismatch="false" />

Answer 2

Oh well, end up answer my own question.

After join the Tomcat user mailing list (subscribe email address: [email protected]). There is the guy named Andre helped me get this resolved:

basically what I did wrong is missing appBase in my defaultlocalhost

  <Host name="defaultlocalhost" appbase="whatever" >

  </Host>

The above configure successfully returned 404 status whenever a illegal request was been send. the reason is that whenever you don't set the appbase it always default to webapps so it essentially didn't do anything with my original configure.

Hope this can help anyone who had similar issue.

Update 7/10/2020 A 403 can be returned by adding in a RemoteAddrValve and blocking all ip's. The example is based on Tomcat 9. http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters

<Host name="defaultlocalhost" appbase="whatever">
           <!-- deny all remote addresses to this host -->
            <Valve className="org.apache.catalina.valves.RemoteAddrValve"
                    deny="\d+\.\d+\.\d+\.\d+"/>
</Host>