WebSphere Application Server & Liberty

Hello,

We have run a penetration test using HCL AppScan against an application running on WebSphere Liberty 23.0.0.5 which identified a risk of Host Header Injection with wording such as

Risk: It is possible to deface the site content through web-cache poisoning
It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social
security number etc.Cause: Lack of input validation and sanitization
Fix: Construct HTTP headers very carefully, avoiding the use of non-validated/unsanitized input data

I am told by some colleagues that this was resolved in Wildfly via the use of filters such as

<filter-ref name="host-checker"/>

    <filters>        <expression-filter name="host-checker" expression="not(equals(%{i,HOST}, validhost)) -> response-code(403)"/>    </filters>

is there any equivalent setting that can be applied to the server.xml of WebSphere Liberty? I found this article https://openliberty.io/docs/latest/forwarded-header.html but I could not find any clear examples with example urls or regexp - just this generic example :-

<remoteIp proxies="<regular_expression>" useRemoteIpInAccessLog="<true/false>"/>

Is this the right setting and if so can anybody please suggest how this can be used to achieve the desired result or if there are other ways to satisfy this penetration test (and prevent genuine threats of this type)

Thanks

Rod

Hello,

We have run a penetration test using HCL AppScan against an application running on WebSphere Liberty 23.0.0.5 which identified a risk of Host Header Injection with wording such as

Risk: It is possible to deface the site content through web-cache poisoning
It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social
security number etc.Cause: Lack of input validation and sanitization
Fix: Construct HTTP headers very carefully, avoiding the use of non-validated/unsanitized input data

I am told by some colleagues that this was resolved in Wildfly via the use of filters such as

<filter-ref name="host-checker"/>

    <filters>        <expression-filter name="host-checker" expression="not(equals(%{i,HOST}, validhost)) -> response-code(403)"/>    </filters>

is there any equivalent setting that can be applied to the server.xml of WebSphere Liberty? I found this article https://openliberty.io/docs/latest/forwarded-header.html but I could not find any clear examples with example urls or regexp - just this generic example :-

<remoteIp proxies="<regular_expression>" useRemoteIpInAccessLog="<true/false>"/>

Is this the right setting and if so can anybody please suggest how this can be used to achieve the desired result or if there are other ways to satisfy this penetration test (and prevent genuine threats of this type)

Thanks

Rod