1.添加java过滤器
import com.xx.sys.core.util.ResourceUtil;
import org.springframework.http.HttpStatus;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
/**
* @Description: 检测到目标URL存在http host头攻击漏洞
* @Author: t
* @Createtime: 2022/9/28 11:30
*/
public class HostCheckFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
//从配置文件或其他地方获取 正确的值 例:public.cnemc.cn,192.168.1.1
String hostName = ResourceUtil.getConfigByName("127.0.0.1");
String[] split = hostName.split(",");
List<String> hostNameList = Arrays.stream(split).collect(Collectors.toList());
HttpServletRequest request = (HttpServletRequest) servletRequest;
String host = request.getHeader("Host");
if(host.contains(":")){
host = host.substring(0, host.indexOf(":"));
}
if (hostNameList.contains(host)){
filterChain.doFilter(servletRequest, servletResponse);
}else{
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setStatus(HttpStatus.BAD_REQUEST.value());
return;
}
}
@Override
public void destroy() {
}
}
2.web.xml文件添加配置
<filter>
<filter-name>hostCheckFilter</filter-name>
<filter-class>com.xxxx.HostCheckFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>hostCheckFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.验证是否成功
例如hostName配置为127.0.0.1,在浏览器中使用localhost无法访问即为成功。