A way to mitigate CVE-2017-8295
Hello experts, I may be wrong in my approach, but I'm trying to mitigate CVE-2017-8295 by forcing the request to a know fixed host name, (e.g. ). So when another requested host reach my virtual server, it will be blocked preventing the attacker from receiving the password reset of the admin user in their fake domain (Return-Path).
The problem is that I am not able to do this with ASM, so when I'm trying to force that hostname into the list of known host names (Application Security > Headers > Host Names).
Is there any right way to do this? Because the ASM policy is ignoring the fake test host name even when I try to block everything related to host names (CSRF, redirection protection, etc). (Yes, the ASM isn't staging for all objects and is in blocking mode)
Any idea? I'll appreciate it.
Regards.