How to prevent host header injection redirection in jetty

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to prevent host header injection redirection in jetty

Xiao Li
I have a filter in webdefault.xml. In the filter, I can compare HOST header value with a list of trusted host values. If the value in HOST header is not in the list, I fail the http request.  The problem is that when 302 happens, the filter is not hit. For example, I have a web app say myweb. http://host:port/myweb will be automatically redirected to http://host:port/myweb/ by jetty. If HOST header is injected in http request  http://host:port/myweb,  since the filter is not hit, the request will be redirected to a site specified in HOST header value. 

What can I do about this?

Thank you.

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prevent host header injection redirection in jetty

Simone Bordet-3
Hi,

On Fri, Sep 27, 2019 at 4:08 PM Xiao Li <[hidden email]> wrote:
>
> I have a filter in webdefault.xml. In the filter, I can compare HOST header value with a list of trusted host values. If the value in HOST header is not in the list, I fail the http request.  The problem is that when 302 happens, the filter is not hit. For example, I have a web app say myweb. <a href="http://host:port/myweb">http://host:port/myweb will be automatically redirected to <a href="http://host:port/myweb/">http://host:port/myweb/ by jetty. If HOST header is injected in http request  <a href="http://host:port/myweb">http://host:port/myweb,  since the filter is not hit, the request will be redirected to a site specified in HOST header value.
>

Jetty would not know where to redirect to, unless you have configured
some Jetty Handler that does that.
If that is the case, then your option is to use a Jetty Handler in
front of the others (rather than a Filter) to perform your Host header
checks.
Alternatively, you remove the redirecting Jetty Handler and do
everything from Filters: one that does Host header checks, and a
following one that does redirection.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prevent host header injection redirection in jetty

Xiao Li
Thank you very much!

On Fri, Sep 27, 2019 at 10:41 AM Simone Bordet <[hidden email]> wrote:
Hi,

On Fri, Sep 27, 2019 at 4:08 PM Xiao Li <[hidden email]> wrote:
>
> I have a filter in webdefault.xml. In the filter, I can compare HOST header value with a list of trusted host values. If the value in HOST header is not in the list, I fail the http request.  The problem is that when 302 happens, the filter is not hit. For example, I have a web app say myweb. http://host:port/myweb will be automatically redirected to http://host:port/myweb/ by jetty. If HOST header is injected in http request  http://host:port/myweb,  since the filter is not hit, the request will be redirected to a site specified in HOST header value.
>

Jetty would not know where to redirect to, unless you have configured
some Jetty Handler that does that.
If that is the case, then your option is to use a Jetty Handler in
front of the others (rather than a Filter) to perform your Host header
checks.
Alternatively, you remove the redirecting Jetty Handler and do
everything from Filters: one that does Host header checks, and a
following one that does redirection.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users