Host header injection attack with Spring boot embedded tomcat

Question

Our application has been checked by PEN Test tool, and there are description of issue:

An attacker can redirect the application using the host header on the below mentioned URL to redirect them to phishing websites.

Reproducing steps:

1. Make request into application
2. Intercept the request using proxy tool
3. Apply attack value into "Host" header
4. Forward the request
5. Observe the 302 response with the injected attack value

Expected behaviour: White-list all the redirect URLs. Make sure users are reminded that they are going out of domain before the redirect occurs.

So, as we use spring boot with embeded tomcat, I guess it should be some server settings.

May be someone can help with required steps for this attack preventing?

Answer 1

For non-standalone Tomcat, the trick is to configure two virtual servers, where one is the default and belongs to no web application and the other one is the real one where your web application is linked with, see https://serverfault.com/q/850955

It seems that this doesn't work with Spring boot, because it seems that you cannot configure virtual servers.

Answer 2

This is an Old question. But adding an answer as Spring has added support for whitelisting in Spring security 4.2.17 and 5.2. This might be useful for others.

In the security config:

@Override
    public void configure(WebSecurity web) throws Exception {
        StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowedHostnames(Arrays.asList("myhostname1","myhostname2"));
        web.httpFirewall(firewall);
    }

It will throw org.springframework.security.web.firewall.RequestRejectedException with message like "The request was rejected because the domain www.attackersite.com is untrusted."

If you don't want all the features of StrictHttpFirewall, you can extend HttpFirewall and add your own implementation.