检测到目标URL存在http host头攻击漏洞

1.添加java过滤器

import com.xx.sys.core.util.ResourceUtil;
import org.springframework.http.HttpStatus;
 
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
 
/**
 * @Description: 检测到目标URL存在http host头攻击漏洞
 * @Author: t
 * @Createtime: 2022/9/28 11:30
 */
public class HostCheckFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
 
    }
 
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        //从配置文件或其他地方获取 正确的值 例：public.cnemc.cn,192.168.1.1
        String hostName = ResourceUtil.getConfigByName("127.0.0.1");
        String[] split = hostName.split(",");
        List hostNameList = Arrays.stream(split).collect(Collectors.toList());
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        String host = request.getHeader("Host");
        if(host.contains(":")){
            host = host.substring(0, host.indexOf(":"));
        }
        if (hostNameList.contains(host)){
            filterChain.doFilter(servletRequest, servletResponse);
        }else{
            HttpServletResponse response = (HttpServletResponse) servletResponse;
            response.setStatus(HttpStatus.BAD_REQUEST.value());
            return;
        }
    }
 
    @Override
    public void destroy() {
 
    }
}

2.web.xml文件添加配置

<filter>
		<filter-name>hostCheckFilterfilter-name>
		<filter-class>com.xxxx.HostCheckFilterfilter-class>
	filter>
	<filter-mapping>
		<filter-name>hostCheckFilterfilter-name>
		<url-pattern>/*url-pattern>
	filter-mapping>

3.验证是否成功

        例如hostName配置为127.0.0.1，在浏览器中使用localhost无法访问即为成功。