Re: Tomcat Virtual Host to prevent Improper-Input-Handling attack

Mon, 13 Sep 2021 06:28:34 -0700 

Pradeep,

On 9/10/21 17:38, Pradeep wrote:

My application is HTTPS not HTTP and now one of the application security
platforms  WhitHatSec raised this vulnerability issue.


I tried to reproduce your "attack" on Tomcat 8.5.59, like this:

$ cat forge
GET www.microsoft.com/ HTTP/1.1
Host: www.microsoft.com


$ od -t x1 -a forge
0000000    47  45  54  20  77  77  77  2e  6d  69  63  72  6f  73  6f  66
           G   E   T  sp   w   w   w   .   m   i   c   r   o   s   o   f
0000020    74  2e  63  6f  6d  2f  20  48  54  54  50  2f  31  2e  31  0d
           t   .   c   o   m   /  sp   H   T   T   P   /   1   .   1  cr
0000040    0a  48  6f  73  74  3a  20  77  77  77  2e  6d  69  63  72  6f
          nl   H   o   s   t   :  sp   w   w   w   .   m   i   c   r   o
0000060    73  6f  66  74  2e  63  6f  6d  0d  0a  0d  0a
           s   o   f   t   .   c   o   m  cr  nl  cr  nl

$ nc tomcat 8080 < forge
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 795
Date: Mon, 13 Sep 2021 13:22:51 GMT
Connection: close


<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad 
Request</title><style type="text/css">body 
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b 
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a 
{color:black;} .line 
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP 
Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Status 
Report</p><p><b>Message</b> Invalid URI</p><p><b>Description</b> The 
server cannot or will not process the request due to something that is 
perceived to be a client error (e.g., malformed request syntax, invalid 
request message framing, or deceptive request routing).</p><hr 
class="line" /><h3>


Changing the "www.microsoft.com" to "http://www.microsoft.com"; returns this:

HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:25:22 GMT


<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not 
Found</title><style type="text/css">body 
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b 
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a 
{color:black;} .line 
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP 
Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status 
Report</p><p><b>Message</b> The requested resource [&#47;] is not 
available</p><p><b>Description</b> The origin server did not find a 
current representation for the target resource or is not willing to 
disclose that one exists.</p><hr class="line" /><h3>Apache 
Tomcat/8.5.59</h3></body></html>


Removing the "www.microsoft.com" from the request-line returns this:

HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:24:34 GMT


<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not 
Found</title><style type="text/css">body 
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b 
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a 
{color:black;} .line 
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP 
Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status 
Report</p><p><b>Message</b> The requested resource [&#47;] is not 
available</p><p><b>Description</b> The origin server did not find a 
current representation for the target resource or is not willing to 
disclose that one exists.</p><hr class="line" /><h3>Apache 
Tomcat/8.5.59</h3></body></html>



Please show me what (exact) steps are required to reproduce this issue. 
Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well 
as your Tomcat 7.0.x version.



I tried the above configuration mentioned but no luck but this 
configuration advised in Apache website 
http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters

> to filter Host Header. I understand this is trivial but I have to fix

and I think I should handle it in the application server Tomcat7.

You can't filter-out the Host header. Well, not effectively.


I tried the below configuration but still validation is not working,
it's still redirecting other Host Headers. Please let me know what
else configuration I can try >

>   <Host name="defaultlocalhost" appbase="whatever">
>                  <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
>         allow=".*\.myapplication1\.com|.*\myapplication2\.com"/>
> </Host>

You misunderstand the purpose of the RemoteAddrValve[1].


The valve enforces client identity, not the host the client is trying to 
access. It also works on IP addresses, not hostnames. I'm surprised you 
were able to access anything at all.


-chris


[1] 
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve



On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Pradeep,

On 9/10/21 06:19, Pradeep wrote:

Hi Team,

I need your help to fix HTTP Host header attacks.
I'm currently in the process of trying to fix a site vulnerability,
basically it is one type of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website
www.hacker.com
Whenever there is a request send to www.mywebsite.com with modified

"Host"

header point to www.hacker.com, my site will create a redirect to
www.mywebsite.com along with whatever the url it was. e.g.


*Normal:*
Host: www.mywebsite.com
GET  www.mywebsite.com/get/some/resources/
Reponse 200 ok


*Hack:*Host: www.hacker.com (#been manually modified)
GET  www.mywebsite.com/get/some/resources/
Response 302
Send another Redirect to www.hacker.com/get/some/resources

I have found this configuration below for tomcat (my application using
Tomcat7) is this works for case? Also I have some existing Host name in
server.xml not sure how to incorporate both Host configuration, please

help

me on this.

*Solution I found :*

<Host name="defaultlocalhost" appbase="whatever" >
    </Host>

*My tomcat existing Host configuration:*
<Host name="localhost"  appBase="webapps"
              unpackWARs="true" autoDeploy="true">


I'm not sure why the above configuration would change anything. Can you
explain?

Please note that the "attacker" in this situation can only attack
himself. Injecting/modifying a header into an HTTP request can only be
done if the attacker is in a MitM position, which should not be possible
when using HTTPS. If using HTTP, then you are on your own and this
attack is trivial.

Assuming there is no MitM, it is challenging to cause another client to
use a header of the attacker's choosing.

Unless this is simply an academic question.

I always use Tomcat configured with a "default" <Host>, but I suspect
there may be a way to force Tomcat to treat a request as invalid if the
Host header doesn't match the name (or alias) of any <Host> configured.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to