Issue: Base Tag Hijacking
Description:
Base tag hijacking allows an attacker to control the base path for all the resources, allowing an attacker to load external scripts and resources and control the current user session.
Remediation:
This can be prevented by adding a filter to allow requests from the list of host names given.
Follow below steps for adding filter:
- Add the below filter in
web.xml:
<filter> <filter-name>CustomFilter</filter-name> <filter-class>com.temp.CustomFilter</filter-class> <init-param> <param-name>validHosts</param-name> <param-value>hostname1;hostname2</param-value> </init-param> </filter> <filter-mapping> <filter-name>CustomFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - Create a filter class and add the header in doFilter() method and verify the hostname as
below:
package com.temp; import java.io.IOException; import java.util.Arrays; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class CustomFilter implements Filter { String validHosts[]; public CustomFilter() { super(); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpReq = (HttpServletRequest) request; HttpServletResponse httpResp = (HttpServletResponse) response; String hostName = httpReq.getHeader("HOST"); if (!Arrays.asList(validHosts).contains(hostName)) { httpResp.reset(); httpResp.setStatus(HttpServletResponse.SC_BAD_REQUEST); return; } chain.doFilter(request, response); } @Override public void destroy() { } @Override public void init(FilterConfig filterConfig) throws ServletException { String validHosts = filterConfig.getInitParameter("validHosts"); this.validHosts = validHosts.split(";"); } }