tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cai, Charles [COMRES/RTC/RTC]" <>
Subject Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack
Date Mon, 22 May 2017 18:35:09 GMT
Hi there, 

Server Specs:
Server version: Apache Tomcat/7.0.54
Server built:   May 19 2014 10:26:15
Server number:
OS Name:        Windows Server 2012
OS Version:     6.2
Architecture:   amd64
JVM Version:    1.8.0_121-b13
JVM Vendor:     Oracle Corporation

I'm currently on the process of trying fix a site vulnerability, basically it is one type
of the "Improper Input Handling" attack.

Let's say my website is and there is hacker's website

whenever there is a request send to with modified "Host" header point to, my site will create a redirect to along with whatever the
url it was. e.g.

Response 200 ok

Host: (#been manually modified) 
Response 302 
Send another Redirect to 
My website is running on Tomcat 7, I tried some solution with set up the virtual host by point
the unknown host to a defaultlocalhost which supposed to do nothing. but it still send the
redirect for some reason.

Here attached is my server.xml host configure:
<Engine name="Catalina" defaultHost="defaultlocalhost" jvmRoute="jvm1">  
<Host name=""  appBase="webapps"
        unpackWARs="true" autoDeploy="false" deployOnStartup="true">

    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log." suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  <Host name="defaultlocalhost"  >
So, my question is, Am I on the right track to prevent this kind of attack ? If yes, what
I did wrong that still not working? (The ultimate goal is, if it is not the legit Host that
been passed in, the request should be discard/ignored/return 404 but not redirect with 302)

Thank you in advance.

More references about the attack here : 

Original Post on stackoverflow:

Charles Cai | Web Application Developer | RIDGID
Emerson Commercial & Residential Solutions |

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message