Hostheader attack vulnerability

Wed, 14 Dec 2022 05:01:19 -0800 

Hi All,

I am facing one issue related to host header manipulation changing the host 
header is chaning the url itself. This attack is done via the burp suite tool. 
I have copied the current configuration here as you could see the default 
hostname is defined and apBase is provided.

The attack is happening only before the admin login page. Any pages displayed 
after the login the host header manipulation is not happening. Kindly advise me 
how to fix this problem from apache side.

<Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->
              <!-- This Realm uses the UserDatabase configured in the global 
JNDI
                   resources under the key "UserDatabase".  Any edits
                   that are performed against this UserDatabase are immediately
                   available for use by the Realm.  -->
        <!--      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                     resourceName="UserDatabase"/>-->
                 <Realm className="com.cisco.cpm.infra.realm.AdminRealm"/>

              <Valve className="org.apache.catalina.valves.MethodsValve" 
methodsSupported="GET,POST,PUT,DELETE,HEAD" />



              <!-- Define the default virtual host
                   Note: XML Schema validation will not work with Xerces 2.2.
               -->

      <Host name="localhost"  appBase="webapps"
          unpackWARs="true" autoDeploy="true"
          xmlValidation="false" xmlNamespaceAware="false">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
                <!-- CSCtn68389 enable the SSO Vlave in order to avoid 
repetetavie REST authentications throgh AdminRealm. By enabling the Valve,
                     The Authenticate Methos in the Realm is being Invoked only 
once and after that, tomcat sends a jsessionidsso cookie to the client.
                     The Client sends the jsessionidsso back in each request so 
tomcat can map the request to a live session without the need to authenticate.  
-->
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

        <Valve 
className="com.cisco.ise.tomcat.valves.GuestVlanUrlRedirectValve" />

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html -->
        <!-- <Valve className="org.apache.catalina.valves.AccessLogValve" 
directory="logs"

Thanks & Regards,

Raghav

Reply via email to