Hi Chris,
I am using Tomcat 7.0.57, I can't change the Tomcat version now. I tried
adding Virtual Host with RemotrHostValve to allow list of hosts but still
no luck.
<Host name="defaultlocalhost" appbase="whatever">
<Valve className="....RemoteHostValve"
allow="*.\myapplication\.com">
Regards,
Pradeep
On Mon, 13 Sep 2021, 2:28 pm Christopher Schultz, <
ch...@christopherschultz.net> wrote:
> Pradeep,
>
> On 9/10/21 17:38, Pradeep wrote:
> > My application is HTTPS not HTTP and now one of the application security
> > platforms WhitHatSec raised this vulnerability issue.
>
> I tried to reproduce your "attack" on Tomcat 8.5.59, like this:
>
> $ cat forge
> GET www.microsoft.com/ HTTP/1.1
> Host: www.microsoft.com
>
>
> $ od -t x1 -a forge
> 0000000 47 45 54 20 77 77 77 2e 6d 69 63 72 6f 73 6f 66
> G E T sp w w w . m i c r o s o f
> 0000020 74 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31 0d
> t . c o m / sp H T T P / 1 . 1 cr
> 0000040 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 69 63 72 6f
> nl H o s t : sp w w w . m i c r o
> 0000060 73 6f 66 74 2e 63 6f 6d 0d 0a 0d 0a
> s o f t . c o m cr nl cr nl
>
> $ nc tomcat 8080 < forge
> HTTP/1.1 400
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 795
> Date: Mon, 13 Sep 2021 13:22:51 GMT
> Connection: close
>
> <!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad
> Request</title><style type="text/css">body
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
>
> Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Status
> Report</p><p><b>Message</b> Invalid URI</p><p><b>Description</b> The
> server cannot or will not process the request due to something that is
> perceived to be a client error (e.g., malformed request syntax, invalid
> request message framing, or deceptive request routing).</p><hr
> class="line" /><h3>
>
> Changing the "www.microsoft.com" to "http://www.microsoft.com"; returns
> this:
>
> HTTP/1.1 404
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 751
> Date: Mon, 13 Sep 2021 13:25:22 GMT
>
> <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not
> Found</title><style type="text/css">body
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
>
> Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status
> Report</p><p><b>Message</b> The requested resource [/] is not
> available</p><p><b>Description</b> The origin server did not find a
> current representation for the target resource or is not willing to
> disclose that one exists.</p><hr class="line" /><h3>Apache
> Tomcat/8.5.59</h3></body></html>
>
> Removing the "www.microsoft.com" from the request-line returns this:
>
> HTTP/1.1 404
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 751
> Date: Mon, 13 Sep 2021 13:24:34 GMT
>
> <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not
> Found</title><style type="text/css">body
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
>
> Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status
> Report</p><p><b>Message</b> The requested resource [/] is not
> available</p><p><b>Description</b> The origin server did not find a
> current representation for the target resource or is not willing to
> disclose that one exists.</p><hr class="line" /><h3>Apache
> Tomcat/8.5.59</h3></body></html>
>
> Please show me what (exact) steps are required to reproduce this issue.
> Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well
> as your Tomcat 7.0.x version.
>
> > I tried the above configuration mentioned but no luck but this
> > configuration advised in Apache website
> > http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters
> > to filter Host Header. I understand this is trivial but I have to fix
> > and I think I should handle it in the application server Tomcat7.
> You can't filter-out the Host header. Well, not effectively.
>
> > I tried the below configuration but still validation is not working,
> > it's still redirecting other Host Headers. Please let me know what
> > else configuration I can try >
> > <Host name="defaultlocalhost" appbase="whatever">
> > <Valve
> > className="org.apache.catalina.valves.RemoteAddrValve"
> > allow=".*\.myapplication1\.com|.*\myapplication2\.com"/>
> > </Host>
>
> You misunderstand the purpose of the RemoteAddrValve[1].
>
> The valve enforces client identity, not the host the client is trying to
> access. It also works on IP addresses, not hostnames. I'm surprised you
> were able to access anything at all.
>
> -chris
>
> [1]
>
> http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve
>
> > On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Pradeep,
> >>
> >> On 9/10/21 06:19, Pradeep wrote:
> >>> Hi Team,
> >>>
> >>> I need your help to fix HTTP Host header attacks.
> >>> I'm currently in the process of trying to fix a site vulnerability,
> >>> basically it is one type of the "Improper Input Handling" attack.
> >>>
> >>> Let's say my website is www.mywebsite.com and there is hacker's
> website
> >>> www.hacker.com
> >>> Whenever there is a request send to www.mywebsite.com with modified
> >> "Host"
> >>> header point to www.hacker.com, my site will create a redirect to
> >>> www.mywebsite.com along with whatever the url it was. e.g.
> >>>
> >>>
> >>> *Normal:*
> >>> Host: www.mywebsite.com
> >>> GET www.mywebsite.com/get/some/resources/
> >>> Reponse 200 ok
> >>>
> >>>
> >>> *Hack:*Host: www.hacker.com (#been manually modified)
> >>> GET www.mywebsite.com/get/some/resources/
> >>> Response 302
> >>> Send another Redirect to www.hacker.com/get/some/resources
> >>>
> >>> I have found this configuration below for tomcat (my application using
> >>> Tomcat7) is this works for case? Also I have some existing Host name in
> >>> server.xml not sure how to incorporate both Host configuration, please
> >> help
> >>> me on this.
> >>>
> >>> *Solution I found :*
> >>>
> >>> <Host name="defaultlocalhost" appbase="whatever" >
> >>> </Host>
> >>>
> >>> *My tomcat existing Host configuration:*
> >>> <Host name="localhost" appBase="webapps"
> >>> unpackWARs="true" autoDeploy="true">
> >>
> >> I'm not sure why the above configuration would change anything. Can you
> >> explain?
> >>
> >> Please note that the "attacker" in this situation can only attack
> >> himself. Injecting/modifying a header into an HTTP request can only be
> >> done if the attacker is in a MitM position, which should not be possible
> >> when using HTTPS. If using HTTP, then you are on your own and this
> >> attack is trivial.
> >>
> >> Assuming there is no MitM, it is challenging to cause another client to
> >> use a header of the attacker's choosing.
> >>
> >> Unless this is simply an academic question.
> >>
> >> I always use Tomcat configured with a "default" <Host>, but I suspect
> >> there may be a way to force Tomcat to treat a request as invalid if the
> >> Host header doesn't match the name (or alias) of any <Host> configured.
> >>
> >> -chris
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
