Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-09-01 Thread Bhavesh Mistry 
Hi Mark,

Thanks for your help. We will go with validation against a known trusted
list host as you suggested.  Also, I have updated
https://bz.apache.org/bugzilla/show_bug.cgi?id=64353 with reference to the
discussion.

As always, thanks for your wonderful support!

Thanks,

Bhavesh

On Tue, Aug 29, 2023 at 2:07 PM Mark Thomas  wrote:

> On 29/08/2023 21:51, Bhavesh Mistry wrote:
> > Hi Mark,
> >
> >> curl - -k "https://www.mydomain.com/login"; -H  'Host:
> >> attackerHostHeaderInjection.com'
> >
> > *Why? What problem are you trying to solve?*
> >
> > Host Header injection is a vulnerability that needs to be addressed., I
> am
> > trying to solve if the host is a mismatch between the HOST ( or
> Authority)
> > header because links are generated based on the host headers.
> >
> > For now only way to prevent it is to have a set of allowed hosts and
> check
> > against this list.
>
> I'd argue that links shouldn't be being generated based on the Host
> header. You should be able to use relative links. That said...
>
> Given the wide variety of deployment architectures (CDN, reverse procy
> etc) if you do need to use the Host header, validation against a known
> trusted list is probably the most robust option. TLS information may not
> always be available.
>
> > Should I update the bug to provide SNI information for the request or
> > should I file another request ?
> > See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
>
> I'd say add it to that issue as the two are closely related.
>
> > 3) I tried following but again curl - shows it never sent
> > www.mydomain.com  since it only used to
> > reach the IP. (This is what Thomas Hoffmann mentioned).
> >
> https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack
> >
> > Thanks for your help so far.
>
> There is another option.
>
> The Host header is used for virtual host selection. If you create a
> valid virtual host for each valid host name (you can have aliases so
> they could all go to the same host) then the default virtual host could
> just have a ROOT webapp that returned you 4xx response of choice.
>
> It is just a different way of implementing an allow list for the Host
> header. The advantage is that it is transparent to the application(s).
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-29 Thread Mark Thomas 

On 29/08/2023 21:51, Bhavesh Mistry wrote:

Hi Mark,


curl - -k "https://www.mydomain.com/login"; -H  'Host:
attackerHostHeaderInjection.com'


*Why? What problem are you trying to solve?*

Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host is a mismatch between the HOST ( or Authority)
header because links are generated based on the host headers.

For now only way to prevent it is to have a set of allowed hosts and check
against this list.


I'd argue that links shouldn't be being generated based on the Host 
header. You should be able to use relative links. That said...


Given the wide variety of deployment architectures (CDN, reverse procy 
etc) if you do need to use the Host header, validation against a known 
trusted list is probably the most robust option. TLS information may not 
always be available.



Should I update the bug to provide SNI information for the request or
should I file another request ?
See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353


I'd say add it to that issue as the two are closely related.


3) I tried following but again curl - shows it never sent
www.mydomain.com  since it only used to
reach the IP. (This is what Thomas Hoffmann mentioned).
https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack

Thanks for your help so far.


There is another option.

The Host header is used for virtual host selection. If you create a 
valid virtual host for each valid host name (you can have aliases so 
they could all go to the same host) then the default virtual host could 
just have a ROOT webapp that returned you 4xx response of choice.


It is just a different way of implementing an allow list for the Host 
header. The advantage is that it is transparent to the application(s).


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-29 Thread Bhavesh Mistry 
Hi Mark,

> curl - -k "https://www.mydomain.com/login"; -H  'Host:
> attackerHostHeaderInjection.com'

*Why? What problem are you trying to solve?*

Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host is a mismatch between the HOST ( or Authority)
header because links are generated based on the host headers.

For now only way to prevent it is to have a set of allowed hosts and check
against this list.


Should I update the bug to provide SNI information for the request or
should I file another request ?
See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353

3) I tried following but again curl - shows it never sent
www.mydomain.com  since it only used to
reach the IP. (This is what Thomas Hoffmann mentioned).
https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack

Thanks for your help so far.

Thanks,

Bhavesh

On Tue, Aug 29, 2023 at 1:16 PM Mark Thomas  wrote:

> On 29/08/2023 08:00, Bhavesh Mistry wrote:
> > Hi Mark,
> >
> > I am sorry for delayed response.
> >
> > Basically, when request url does not match host header then I would
> reject
> > it.  For example,
> >
> > curl - -k "https://www.mydomain.com/login"; -H  'Host:
> > attackerHostHeaderInjection.com'
>
> Why? What problem are you trying to solve?
>
>
> > Based curl -vvv output,  tomcat server does not know host name used
> > www.mydomain.com but Host header is attackerHostHeaderInjection.com.
> >
> > In this case I would like to reject request send 403 or 404.  As you
> > explained that request Line does not have Full URL,
> allowHostHeaderMismatch
> > will not reject.
> >
> > So my idea is using SNI I could get hostname and compare with HOST header
> > or :authority and reject it.
> >
> > Is it possible to request new feature on Tomcat to get or expose SNI name
> > used by client?
>
> That is certainly possible. How likely it is to get implemented depends
> on the justification.
>
> See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-29 Thread Mark Thomas 

On 29/08/2023 08:00, Bhavesh Mistry wrote:

Hi Mark,

I am sorry for delayed response.

Basically, when request url does not match host header then I would reject
it.  For example,

curl - -k "https://www.mydomain.com/login"; -H  'Host:
attackerHostHeaderInjection.com'


Why? What problem are you trying to solve?



Based curl -vvv output,  tomcat server does not know host name used
www.mydomain.com but Host header is attackerHostHeaderInjection.com.

In this case I would like to reject request send 403 or 404.  As you
explained that request Line does not have Full URL, allowHostHeaderMismatch
will not reject.

So my idea is using SNI I could get hostname and compare with HOST header
or :authority and reject it.

Is it possible to request new feature on Tomcat to get or expose SNI name
used by client?


That is certainly possible. How likely it is to get implemented depends 
on the justification.


See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-29 Thread Bhavesh Mistry 
Hi Mark,

I am sorry for delayed response.

Basically, when request url does not match host header then I would reject
it.  For example,

curl - -k "https://www.mydomain.com/login"; -H  'Host:
attackerHostHeaderInjection.com'


Based curl -vvv output,  tomcat server does not know host name used
www.mydomain.com but Host header is attackerHostHeaderInjection.com.

In this case I would like to reject request send 403 or 404.  As you
explained that request Line does not have Full URL, allowHostHeaderMismatch
will not reject.

So my idea is using SNI I could get hostname and compare with HOST header
or :authority and reject it.

Is it possible to request new feature on Tomcat to get or expose SNI name
used by client?

Thanks,

Bhavesh


On Tue, Aug 22, 2023, 3:03 PM Mark Thomas  wrote:

> Tomcat doesn't expose the SNI information.
>
> What problem are you trying to solve here?
>
> Tomcat rejects requests with mis-matched host headers by default and can
> be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't
> need to write any extra code for this.
>
> Mark
>
>
> On 21/08/2023 12:59, Bhavesh Mistry wrote:
> >>
> >>
> >> Hi Mark and Thomas,
> >>
> >>
> >>
> >> I understood now that Tomcat does not have information other than HOST
> >> (HTTP 1.1) and :authority: (HTTP2).  So there is no way to check what
> URL
> >> used to connect and headers.
> >>
> >>
> >>
> >> I was wondering if TLS Handshake can provide *SNI can be used for this
> >> purpose**. *
> >>
> >> *Server Name Indication (SNI) is an extension of the TLS protocol. The
> >> client specifies which hostname they want to connect to using the SNI
> >> extension in the TLS handshake. *
> >>
> >>
> >>
> >> *SNI will be the hostname that the browser used to negotiate TLS.  so my
> >> idea is to check SNI vs (host or  *:authority: ) header and if there is
> a
> >> mismatch between host/authority vs. SNI.  I can reject requests and
> throw
> >> 404 status.
> >>
> >>
> >>
> >> Do you know how I can *obtain SNI* from the tomcat HttpRequest object?
> >> What hostname was negotiated with TLS?  Do you think the idea of
> checking
> >> against SNI and *host or  *:authority:  headers?
> >>
> >>
> >>
> >> As always, your opinion and suggestion are always appreciated.
> >>
> >>
> >>
> >> Thanks,
> >>
> >>
> >>
> >> Bhavesh
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-22 Thread Mark Thomas 

Tomcat doesn't expose the SNI information.

What problem are you trying to solve here?

Tomcat rejects requests with mis-matched host headers by default and can 
be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't 
need to write any extra code for this.


Mark


On 21/08/2023 12:59, Bhavesh Mistry wrote:



Hi Mark and Thomas,



I understood now that Tomcat does not have information other than HOST
(HTTP 1.1) and :authority: (HTTP2).  So there is no way to check what URL
used to connect and headers.



I was wondering if TLS Handshake can provide *SNI can be used for this
purpose**. *

*Server Name Indication (SNI) is an extension of the TLS protocol. The
client specifies which hostname they want to connect to using the SNI
extension in the TLS handshake. *



*SNI will be the hostname that the browser used to negotiate TLS.  so my
idea is to check SNI vs (host or  *:authority: ) header and if there is a
mismatch between host/authority vs. SNI.  I can reject requests and throw
404 status.



Do you know how I can *obtain SNI* from the tomcat HttpRequest object?
What hostname was negotiated with TLS?  Do you think the idea of checking
against SNI and *host or  *:authority:  headers?



As always, your opinion and suggestion are always appreciated.



Thanks,



Bhavesh





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-21 Thread Bhavesh Mistry 
>
>
> Hi Mark and Thomas,
>
>
>
> I understood now that Tomcat does not have information other than HOST
> (HTTP 1.1) and :authority: (HTTP2).  So there is no way to check what URL
> used to connect and headers.
>
>
>
> I was wondering if TLS Handshake can provide *SNI can be used for this
> purpose**. *
>
> *Server Name Indication (SNI) is an extension of the TLS protocol. The
> client specifies which hostname they want to connect to using the SNI
> extension in the TLS handshake. *
>
>
>
> *SNI will be the hostname that the browser used to negotiate TLS.  so my
> idea is to check SNI vs (host or  *:authority: ) header and if there is a
> mismatch between host/authority vs. SNI.  I can reject requests and throw
> 404 status.
>
>
>
> Do you know how I can *obtain SNI* from the tomcat HttpRequest object?
> What hostname was negotiated with TLS?  Do you think the idea of checking
> against SNI and *host or  *:authority:  headers?
>
>
>
> As always, your opinion and suggestion are always appreciated.
>
>
>
> Thanks,
>
>
>
> Bhavesh
>

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-19 Thread Bhavesh Mistry 
Hi Mark,

Thanks for your quick reply.   According to the spec, the Request line
three line: http method path and version.  Basically, what I wanted to do
to is if the HOST header does not match the requested server name in the
URL then return 404 04 403.

Can you please help me how I can do this?  From raw request, there is NO
way to know what the user requested URL is and the HOST name as tomcat
reconstructed that from the HOST header.

When using the following:

curl - -k "https://10.40.43.26/login?sessionExpire=true"; -H   'Host:
attacker.com'

request.getServerName() = attacker.com

request.getHeader("Host") = attacker.com

request.getURL() :  https://attacker.com/login?sessionExpire=true

There is no way for the server to know that the HOST header does not match
the URL hostname name.  So the only way to stop this is to have a
pre-determined list of hostnames and check against it.  Do you have any
recommendations how to detect host header mismatch from application logic ?

Only thing I found is this to have list trusted host and compare host
header against it:
https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java#L549







On Sat, Aug 19, 2023 at 2:10 PM Mark Thomas  wrote:

>
> 19 Aug 2023 19:46:56 Bhavesh Mistry :
>
> > Hi, Tomcat Dev team and Users,
> >
> >
> > I am trying to block the request and give 404 bad requests or 403 when
> > the
> > HOST header does not match the requested server name.  My goal is to
> > block
> > whenever there is a mismatch in the host header and URL server name.
> >
> > I would appreciate your help.
>
> Look at the request. Despite the curl command using an IP address, the
> actual request does not contain a host in the request line hence there is
> no mismatch.
>
> Mark
>
>
> >
> > curl - -k "https://*10.40.43.26*/login?sessionExpire=true"; -H
> > '*Host:
> > text.com *'
> > * Using Stream ID: 1 (easy handle 0x7f8316012800)
> >> GET /login?sessionExpire=true HTTP/2
> > *> Host: text.com *
> >> User-Agent: curl/8.1.2
> >> Accept: */*
> >
> > Response:
> >
> > * HTTP/2 200 *
> > < cache-control: no-cache, no-store, must-revalidate
> > < expect-ct: enforce, max-age=30, report-uri='
> > https://report-uri.com/account/'
> > < pragma: no-cache
> > < expires: Thu, 01 Jan 1970 00:00:00 GMT
> > < set-cookie:
> >
> >
> JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly;
> > SameSite=strict
> > < strict-transport-security: max-age=31536000 ; includeSubDomains ;
> > preload
> > < x-xss-protection: 1; mode=block
> > < x-frame-options: DENY
> > < x-content-type-options: nosniff
> > < referrer-policy: strict-origin-when-cross-origin
> > < content-type: text/html;charset=UTF-8
> > < content-length: 4084
> > < date: Sat, 19 Aug 2023 19:02:11 GMT
> >
> > Here is my connector config:
> >
> >  >connectionTimeout="2"
> >redirectPort="443" scheme="https" secure="true"
> > server="Versa Director"
> >address="${tomcat.address}"  maxPostSize="-1"
> > *allowHostHeaderMismatch="false"* />
> >
> >
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> >relaxedPathChars="[\\]^`{|}"
> > relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
> > *
> >address="${tomcat.address}" minSpareThreads="100"
> > maxThreads="200" SSLEnabled="true"
> >scheme="https" secure="true" maxSwallowSize="-1"
> > maxPostSize="-1">
> >
> > Thanks,
> >
> > Bhavesh
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-19 Thread Mark Thomas 



19 Aug 2023 19:46:56 Bhavesh Mistry :


Hi, Tomcat Dev team and Users,


I am trying to block the request and give 404 bad requests or 403 when 
the
HOST header does not match the requested server name.  My goal is to 
block

whenever there is a mismatch in the host header and URL server name.

I would appreciate your help.


Look at the request. Despite the curl command using an IP address, the 
actual request does not contain a host in the request line hence there is 
no mismatch.


Mark




curl - -k "https://*10.40.43.26*/login?sessionExpire=true"; -H 
'*Host:

text.com *'
* Using Stream ID: 1 (easy handle 0x7f8316012800)

GET /login?sessionExpire=true HTTP/2

*> Host: text.com *

User-Agent: curl/8.1.2
Accept: */*


Response:

* HTTP/2 200 *
< cache-control: no-cache, no-store, must-revalidate
< expect-ct: enforce, max-age=30, report-uri='
https://report-uri.com/account/'
< pragma: no-cache
< expires: Thu, 01 Jan 1970 00:00:00 GMT
< set-cookie:

JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly;
SameSite=strict
< strict-transport-security: max-age=31536000 ; includeSubDomains ; 
preload

< x-xss-protection: 1; mode=block
< x-frame-options: DENY
< x-content-type-options: nosniff
< referrer-policy: strict-origin-when-cross-origin
< content-type: text/html;charset=UTF-8
< content-length: 4084
< date: Sat, 19 Aug 2023 19:02:11 GMT

Here is my connector config:

    


    

Thanks,

Bhavesh


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org