Shulou(Shulou.com)06/01 Report--

This article shows you the principle of Java HTTP Host head attack and how to defend it. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

It is very common for Java programmers to run multiple programs on a server.

But after doing so, there will be a problem, that is, it is easy to cause Host header attacks. This is also a problem encountered by a netizen in the WeChat group before. I'm here to talk to you today.

Host header (host header or host header) attacks are very common. For example, in jsp, we might usually have code similar to the following.

The above several loading paths are all url addresses obtained through host, and then stitched together with fixed content.

At this time, if I change your host head, for example, to my www.xttblog.com. Then the js file you are loading may come from the js file that has already been trapped on my website.

In this way, hackers can get your cookie, user name, password and other key data. This is the famous host header attack.

What's more, put virus, mining and other code on your website. And you don't know you're being used.

So how to solve this kind of problem? Quite simply, let's take Nginx as an example, we just need to modify the configuration file. Apache, I won't give an example.

Add a default server that jumps to the default server when the host header is modified to match the server, and the default server directly returns a 403 error.

Just restart nginx.

In addition to this, you can also add detection rules to the target server. For example, the following if determines the configuration.

In addition, in the configuration file of Tomcat, we can also directly configure the name of Host to the specific ip address instead of localhost.

To put it bluntly, this vulnerability is because you used Host instead of verifying it.

At present, Green League, burpsuite, 360and other tools can detect this vulnerability!

The above is the principle of Java HTTP Host head attack and how to defend it. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.