Adobe Experience Manager Sites & More

Kiran_Vedantam · 4/11/23

We have a security scan risk where the request from the browser in Burp is intercepted, modified to have a malicious host, and sent to the server. We have observed that the server redirects to a malicious site.

Below are my queries:

Is there any way to Validate the Host header?
Will there be any consequences if we remove the host from the client headers (if point 1 is not possible)
Can we add a redirect rule to make sure the modified header is redirected to our own site?

I got the reference to points 2 and 3 from here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/additional-headers-on-disp...

Any help on this would be appreciated.

Environment: AEM as cloud service, 2023.3.11382.20230315T073850Z version

@arunpatidar @kautuk_sahni

Thanks,

Kiran Vedantam.

arunpatidar · 4/13/23

Header always unset host

<If "%{HTTP_HOST} == 'mywebsite'">
</If>
<Else>
  RewriteRule ^.*$ http://mywebsite/404 [L]
</Else>

Arun Patidar

View solution in original post

arunpatidar · 4/12/23

Hi @Kiran_Vedantam
You can do following :

1. Remove the host header from response, I don't see any harm.

2. Whitelist the Publisher/dispatcher IP at CDN

3. Check host header in request header

https://stackoverflow.com/questions/69350714/how-to-make-my-apache-website-accept-only-host-header-w...

Arun Patidar

Kiran_Vedantam · 4/12/23

Thanks for the response @arunpatidar

Can you please help me with the working piece of code for points 1 and 3 that you have mentioned?

Thanks,
Kiran Vedantam.

arunpatidar · 4/13/23

Header always unset host

<If "%{HTTP_HOST} == 'mywebsite'">
</If>
<Else>
  RewriteRule ^.*$ http://mywebsite/404 [L]
</Else>

Adobe Experience Manager Sites & More

Host Header Injection

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe