how to prevent host header injection in struts2 (JAVA) (Jboss-as-7.2.0.Final)

Asked Aug 23 '18 at 09:36

Active Aug 23 '18 at 09:36

Viewed 1,675 times

I'm just trying to find the solution for host header injection but couldn't find it. Need help from you techies.

Using struts2 as a framework, jsp as frontend and jboss 7 as an application server .

Below are the sample request,

GET /xxxxxxxx/xxxxxxx/xxxxxxxxxMaster.action HTTP/1.1 Host: xxx.xxx.xx.xxx:8444 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://xxx.xx.xx.xxx:8444/xxxxx/xxxxx.action Cookie: menusToExpand=LINKID000001323Menu%2CLINKID000041521Menu%2CLINKID000055923Menu%2CLINKID000042954Menu%2CLINKID000094209Menu; itemToHighlight=https%3A//xxx.xxx.xx.xxx%3A8444/xxxxx/xxxxxxxxxxxx/xxxxxxxxxx.action; JSESSIONID=qKGED+F7LXZ1hvQijXKO+5Qp.hellnode01 Connection: keep-alive

I want to hide host ip address to prevent Host Header Injection..

any help would be appreciated!

Thanks

asked Aug 23 '18 at 09:36

Sagar Borkhatariya

You could remove it with a normal filter if your app doesn't rely on it (I don't know if S2 uses it to construct links or not) or just filter it through a whitelist of allowed host names. – Dave Newton Aug 23 '18 at 17:16
Okay I'll handle this using filter. Thanks :) – Sagar Borkhatariya Aug 27 '18 at 05:07

how to prevent host header injection in struts2 (JAVA) (Jboss-as-7.2.0.Final)

0 Answers0