preface
If /is missing from the access path when visiting a website, most middleware will automatically complete the path and return 302 or 301 jumps to the figure below, and the domain name of the Location location will use the value of the Host header.
This situation is actually less risky and difficult to pose a Host header attack. However, since most vulnerability scanners will detect this situation as a host head attack, most Party A will require the vulnerability to be fixed and the problem completely solved in order to pass the higher-level inspection or various audits.
The jump path is not defined by the web project, but is automatically jumped by the middleware, so it cannot be fixed by writing static variables, and the global filter in the web project cannot be blocked. Needs to be configured at the web server level to fix it. Here are some common server reference fixes, and if there are any errors or inadequacies, please feel free to correct them.
Apache:
Method 1: Modify the \conf\httpd.conf file
Modify the ServerName to the domain name of the application, for example
Add the following lines:
Just restart Apache.
If the fix is successful, you will see that the server side will use the set ServerName.
Parameter Explanation:
Method 2:
Modify the confhttpd.conf file
Refer to the following configuration to add:
Just restart Apache.
Function:
Deny any access requests directly through the IP address 192.168.0.16, and if you use 192.168.0.16 to access, you will be prompted to deny access. Only passage is allowedThe hyperlink login is visible.This domain name access, the main directory points to C:www
Method 3:
Modify the confhttpd.conf file
Find "#LoadModule rewrite_module modules/mod_rewrite.so" and remove the "#" sign in front of it Add a configuration like the following:
Just restart Apache.
Function:
When the HOST header is not 192.168.0.16, it redirects to the error page.
Nginx:
Method 1:
Modify nginx.conf
Add a default server, when the host header is modified to match the server, it will jump to the default server, and the default server will directly return a 403 error.
Examples include:
Just restart nginx.
Method 2:
Modify nginx.conf
To add a detection rule to the target server, refer to the following red configuration: Just restart nginx.
Tomcat:
Modification tomcatconfserver.xml
Find the following location:
Change the name in Host to a static domain name as follows:
Restart Tomcat to complete the repair.
IIS6.0:
Use ISAPI_Rewrite plugin to detect the contents of the request package and rewrite the URL.
Plugin installation package and crack tool download address:The hyperlink login is visible.
After the download is complete, double-click the program and click Next to install.
After the cracking tool is unzipped, the three files are shown in the figure
Copy and paste the cracked three files directly into the ISAPI_Rewrite's installation directory, that is, overwrite the official original file, if the prompt cannot be overwritten, you can first rename the official three files to other names, and then copy the three cracked files.
Once the replacement is complete, you must add a SERVICE user group for the ISAPI_Rewrite.dll and grant read, read, and run permissions. (This step is very important, otherwise subsequent ISAPI_Rewrite will not work).
Open the IIS Administration Tool, select the target project - > Properties - > ISAPI Filters - > Add - > Select the path of the ISAPI_Rewrite.dll file you installed - > OK
Restart IIS and reopen the IIS management tool, you can see the new ISAPI_Rewrite tag in the target project-> property, where you can directly write .htaccess rules to redirect according to your needs.
To configure the host header whitelist, you can refer to the following rules.
After the configuration is completed, if the Host field in the request package is not set to 192.168.2.141, the error page will be automatically jumped.
IIS7.0/7.5/8.0:
Microsoft has launched a URL rewriting module tool that can filter the request URL, which needs to be installed by yourself, and the following is the tool download address:
Microsoft download address (64-bit): The hyperlink login is visible. Microsoft download address (32 bits): The hyperlink login is visible.
After the download is complete, double-click the program and click Next to install.
Then restart the IIS management tool, and you can see that there is a URL rewriting tool under the IIS bar.
Double-click the URL rewrite feature and add a rule on the URL address inbound rule bar.
Select Request blocking.
Refer to the figure below to configure the rules, fill in the website domain name or IP in the host header, and then click OK.
Double-click the rule you just created.
Select "Do not match pattern" in the URL selection of the request, select "Complete match" in the usage item, select "Abort request" in the action type, and click the Apply button in the upper right corner.
Then restart the website, at which point retesting will show that when the host is not 192.168.124.149, the server will abort the request, thus acting as a precaution against the host header.
Reprinted from:The hyperlink login is visible.
| 
Posted on 2021-6-4 11:14:02
|
|
|
|
