http host头攻击漏洞

1.添加系统变量,默认127.0.0.1

1.是否开启请求头拦截: ISHTTPHOST : 1
2.httpHost主机白名单 HTTP_HOST_WHITELIST 127.0.0.1,192.168.20.215

2. je-web添加代码

package com.je.core.filter;

import com.google.common.base.Strings;
import com.je.core.util.WebUtils;

import javax.servlet.*;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@SuppressWarnings("serial")
public class HttpHostFilter extends HttpServlet implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        StringBuffer url = request.getRequestURL();
        String s = request.getRequestURL().toString();
        // 头攻击检测  过滤主机名
        String requestHost = request.getHeader("host");
        if (requestHost != null && !checkBlankList(requestHost)) {
            response.setStatus(403);
            return;
        }
        filterChain.doFilter(request, response);
    }

    //判断主机是否存在白名单中
    private boolean checkBlankList(String host) {
        String isHttpHost = WebUtils.getBackVar("ISHTTPHOST");
        if (!Strings.isNullOrEmpty(isHttpHost) && isHttpHost.equals("1")) {
            if (host.contains("127.0.0.1")) {//此处为自己网站的主机地址
                return true;
            }
            String http_host_whitelist = WebUtils.getBackVar("HTTP_HOST_WHITELIST");
            if (host.indexOf(":") > 0) {
                host = host.substring(0, host.indexOf(":"));
            }
            if (http_host_whitelist.indexOf(host) >= 0) {
                return true;
            }
            return false;
        }
        return true;
    }

}

3.添加web.xml配置

    <!--头攻击过滤-->
    <filter>
        <filter-name>HttpHostFilter</filter-name>
        <filter-class>
            com.je.core.filter.HttpHostFilter
        </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>HttpHostFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>

4.备注信息

1.如果开启之后没有设置白名单导致系统访问不了,需要手动改数据库把ISHTTPHOST值改成0,或者删除
je_core_config表CONFIG_CODE=’ISHTTPHOST’
2.清理redis中的缓存 backConfigCache
3.登录系统重新设置

最后编辑: 于春辉  文档更新时间: 2024-03-05 11:49   作者:于春辉