[WEB SECURITY] HTTP cache poisoning via Host header injection

Bil Corry bil at corry.biz
Fri Jun 20 17:00:19 EDT 2008


Ivan Ristic wrote on 6/19/2008 10:51 AM: 
>> That catch-all path contains a single default.html file that has a static
>> "Domain does not exist" message.  This effectively white-lists the Host
>> header for all sites on the server.
> 
> Your default file will only be invoked for requests for the root of
> the site. I suggest that you use a mod_rewrite rule to respond to all
> requests with a 404, and to use ErrorDocument 404 to make sure the
> default file is always displayed.

Ah, good catch.  My testing had been centered around my webapp, which also has a defense built-in, muddling my testing.

I decided to go with 403 instead to keep it simple:

	<VirtualHost *:80>
		ServerName 190.190.190.190
		DocumentRoot /var/www/html/default
		RewriteEngine On
		RewriteRule (.*)  - [F]
	</VirtualHost>

Thanks,

- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list