Host Header Injection

Question

We have a security scan risk where the request from the browser in Burp is intercepted, modified to have a malicious host, and sent to the server. We have observed that the server redirects to a malicious site.

Below are my queries:

Is there any way to Validate the Host header?
Will there be any consequences if we remove the host from the client headers (if point 1 is not possible)
Can we add a redirect rule to make sure the modified header is redirected to our own site?

I got the reference to points 2 and 3 from here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/additional-headers-on-dispatcher-vhost/m-p/425174

Any help on this would be appreciated.

Environment: AEM as cloud service, 2023.3.11382.20230315T073850Z version

@arunpatidar @kautuk_sahni

Thanks,

Kiran Vedantam.

arunpatidar · Accepted Answer

Header always unset host RewriteRule ^.*$ http://mywebsite/404 [L]

arunpatidar · Answer

Hi @kiran_vedantam
You can do following :

1. Remove the host header from response, I don't see any harm.

2. Whitelist the Publisher/dispatcher IP at CDN

3. Check host header in request header

https://stackoverflow.com/questions/69350714/how-to-make-my-apache-website-accept-only-host-header-with-a-specific-entry

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded