Protecting from host header injection

Prevent this security vulnerability by implementing properties for whitelisting servers in the Decision Center and Rule Execution Server archives.

About this task

When creating URI for links in web applications, developers typically use the HTTP host header available in the HTTP request that is sent from the client side. An attacker can exploit this practice by sending a fake header that contains a domain name that, for example, can be used to corrupt the web cache or password reset emails.

Follow this procedure to prevent a host header injection attack on Decision Center and Rule Execution Server.

Procedure

Configure parameters for Decision Center:

Go to the <InstallDir>/teamserver/applicationservers/ and find the Decision Center archive for your application server:

In the Java™ SE deployment, decompress the decisioncenter.war archive and go to the teamserver-model.jar file, and then open the ilog/rules/teamserver/preferences.properties file.
In the Java™ EE deployment, decompress the jrules-teamserver-<your_platform>.ear archive and find ilog/rules/teamserver/preferences.properties.

Add the following parameters if they do not already exist:

com.ibm.rules.decisioncenter.check-host = true
com.ibm.rules.decisioncenter.host-whitelist-patterns = <url_patterns>

Parameter	Description
com.ibm.rules.decisioncenter.check-host	When it is set to `true`, the host servers are verified. The default value is `false`.
com.ibm.rules.decisioncenter.host-whitelist-patterns	Specifies the URLs that need to be whitelisted. Note: This property value is a regular expression, so the "`.*`" at the end is required to specify any following characters. You can specify several values, separated by a comma.

Parameter

Description

com.ibm.rules.decisioncenter.check-host

When it is set to true, the host servers are verified.

The default value is false.

com.ibm.rules.decisioncenter.host-whitelist-patterns

Specifies the URLs that need to be whitelisted.

Note:

This property value is a regular expression, so the ".*" at the end is required to specify any following characters.
You can specify several values, separated by a comma.

Configure a parameter for Rule Execution Server:

Go to the <InstallDir>/executionserver/applicationservers/ and find the Rule Execution Server management archive for your application server:

In the Java™ SE deployment, decompress the res.war archive and open the WEB-INF/web.xml file.
In the Java™ EE deployment, decompress the jrules-res-management-<your_platform>.ear archive and find the res.war file in there. Then, find the WEB-INF/web.xml file in the decompressed res.war file.

In the web.xml file, find the ilog.rules.res.TRUSTED_HOSTS_CONFIGURATION parameter:

<context-param>
   <description>
      Host HTTP header protection configuration.
      When enabled, please provide a list of trusted hosts (separated by semicolons).
      Each host must be a valid regular expression.
      Example: enableHostsWhitelist=true,hosts=host1.com;.*\.company\.com;myserver
   </description>
   <param-name>ilog.rules.res.TRUSTED_HOSTS_CONFIGURATION</param-name>
   <param-value>enableHostsWhitelist=false,hosts=</param-value>
</context-param>

Parameter	Description
ilog.rules.res.TRUSTED_HOSTS_CONFIGURATION	When enableHostsWhitelist is set to `true`, the protection against the host header injection is enabled. In this case, enter a list of the host servers that are trusted. You can enter multiple hosts, separated by a semicolon (`;`). The default value is `false`.

Parameter

Description

ilog.rules.res.TRUSTED_HOSTS_CONFIGURATION

When enableHostsWhitelist is set to true, the protection against the host header injection is enabled. In this case, enter a list of the host servers that are trusted. You can enter multiple hosts, separated by a semicolon (;).

The default value is false.

Repackage and redeploy the Decision Center and Rule Execution Server archives.