目标URL存在http host头攻击漏洞

package com.wx.filter;

import com.wx.util.ConfKit;
import org.apache.log4j.Logger;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * Created by 123 on 2018-05-14
 */
@WebFilter(filterName = "HostFilter")
public class HostFilter implements Filter {
    public static Logger logger = Logger.getLogger(HostFilter.class);
    public void destroy() {
    }

    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) resp;

        // 头攻击检测
        String requestHost = request.getHeader("host");
        logger.info("requestHost:"+requestHost);
        if (requestHost != null && ConfKit.getProps("okHost").indexOf(requestHost)==-1) {
            response.setStatus(403);
            return;
        }
        chain.doFilter(req, resp);
    }

    public void init(FilterConfig config) throws ServletException {

    }

}

其中okHost为允许的host头，在测试环境下为：localhost:8080

转自：https://blog.csdn.net/ahuyangdong/article/details/79091699