Hi Chris, I am using Tomcat 7.0.57, I can't change the Tomcat version now. I tried adding Virtual Host with RemotrHostValve to allow list of hosts but still no luck.
<Host name="defaultlocalhost" appbase="whatever"> <Valve className="....RemoteHostValve" allow="*.\myapplication\.com"> Regards, Pradeep On Mon, 13 Sep 2021, 2:28 pm Christopher Schultz, < ch...@christopherschultz.net> wrote: > Pradeep, > > On 9/10/21 17:38, Pradeep wrote: > > My application is HTTPS not HTTP and now one of the application security > > platforms WhitHatSec raised this vulnerability issue. > > I tried to reproduce your "attack" on Tomcat 8.5.59, like this: > > $ cat forge > GET www.microsoft.com/ HTTP/1.1 > Host: www.microsoft.com > > > $ od -t x1 -a forge > 0000000 47 45 54 20 77 77 77 2e 6d 69 63 72 6f 73 6f 66 > G E T sp w w w . m i c r o s o f > 0000020 74 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31 0d > t . c o m / sp H T T P / 1 . 1 cr > 0000040 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 69 63 72 6f > nl H o s t : sp w w w . m i c r o > 0000060 73 6f 66 74 2e 63 6f 6d 0d 0a 0d 0a > s o f t . c o m cr nl cr nl > > $ nc tomcat 8080 < forge > HTTP/1.1 400 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 795 > Date: Mon, 13 Sep 2021 13:22:51 GMT > Connection: close > > <!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad > Request</title><style type="text/css">body > {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a > {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > > Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Status > Report</p><p><b>Message</b> Invalid URI</p><p><b>Description</b> The > server cannot or will not process the request due to something that is > perceived to be a client error (e.g., malformed request syntax, invalid > request message framing, or deceptive request routing).</p><hr > class="line" /><h3> > > Changing the "www.microsoft.com" to "http://www.microsoft.com" returns > this: > > HTTP/1.1 404 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 751 > Date: Mon, 13 Sep 2021 13:25:22 GMT > > <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not > Found</title><style type="text/css">body > {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a > {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > > Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status > Report</p><p><b>Message</b> The requested resource [/] is not > available</p><p><b>Description</b> The origin server did not find a > current representation for the target resource or is not willing to > disclose that one exists.</p><hr class="line" /><h3>Apache > Tomcat/8.5.59</h3></body></html> > > Removing the "www.microsoft.com" from the request-line returns this: > > HTTP/1.1 404 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 751 > Date: Mon, 13 Sep 2021 13:24:34 GMT > > <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not > Found</title><style type="text/css">body > {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a > {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > > Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status > Report</p><p><b>Message</b> The requested resource [/] is not > available</p><p><b>Description</b> The origin server did not find a > current representation for the target resource or is not willing to > disclose that one exists.</p><hr class="line" /><h3>Apache > Tomcat/8.5.59</h3></body></html> > > Please show me what (exact) steps are required to reproduce this issue. > Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well > as your Tomcat 7.0.x version. > > > I tried the above configuration mentioned but no luck but this > > configuration advised in Apache website > > http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters > > to filter Host Header. I understand this is trivial but I have to fix > > and I think I should handle it in the application server Tomcat7. > You can't filter-out the Host header. Well, not effectively. > > > I tried the below configuration but still validation is not working, > > it's still redirecting other Host Headers. Please let me know what > > else configuration I can try > > > <Host name="defaultlocalhost" appbase="whatever"> > > <Valve > > className="org.apache.catalina.valves.RemoteAddrValve" > > allow=".*\.myapplication1\.com|.*\myapplication2\.com"/> > > </Host> > > You misunderstand the purpose of the RemoteAddrValve[1]. > > The valve enforces client identity, not the host the client is trying to > access. It also works on IP addresses, not hostnames. I'm surprised you > were able to access anything at all. > > -chris > > [1] > > http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve > > > On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Pradeep, > >> > >> On 9/10/21 06:19, Pradeep wrote: > >>> Hi Team, > >>> > >>> I need your help to fix HTTP Host header attacks. > >>> I'm currently in the process of trying to fix a site vulnerability, > >>> basically it is one type of the "Improper Input Handling" attack. > >>> > >>> Let's say my website is www.mywebsite.com and there is hacker's > website > >>> www.hacker.com > >>> Whenever there is a request send to www.mywebsite.com with modified > >> "Host" > >>> header point to www.hacker.com, my site will create a redirect to > >>> www.mywebsite.com along with whatever the url it was. e.g. > >>> > >>> > >>> *Normal:* > >>> Host: www.mywebsite.com > >>> GET www.mywebsite.com/get/some/resources/ > >>> Reponse 200 ok > >>> > >>> > >>> *Hack:*Host: www.hacker.com (#been manually modified) > >>> GET www.mywebsite.com/get/some/resources/ > >>> Response 302 > >>> Send another Redirect to www.hacker.com/get/some/resources > >>> > >>> I have found this configuration below for tomcat (my application using > >>> Tomcat7) is this works for case? Also I have some existing Host name in > >>> server.xml not sure how to incorporate both Host configuration, please > >> help > >>> me on this. > >>> > >>> *Solution I found :* > >>> > >>> <Host name="defaultlocalhost" appbase="whatever" > > >>> </Host> > >>> > >>> *My tomcat existing Host configuration:* > >>> <Host name="localhost" appBase="webapps" > >>> unpackWARs="true" autoDeploy="true"> > >> > >> I'm not sure why the above configuration would change anything. Can you > >> explain? > >> > >> Please note that the "attacker" in this situation can only attack > >> himself. Injecting/modifying a header into an HTTP request can only be > >> done if the attacker is in a MitM position, which should not be possible > >> when using HTTPS. If using HTTP, then you are on your own and this > >> attack is trivial. > >> > >> Assuming there is no MitM, it is challenging to cause another client to > >> use a header of the attacker's choosing. > >> > >> Unless this is simply an academic question. > >> > >> I always use Tomcat configured with a "default" <Host>, but I suspect > >> there may be a way to force Tomcat to treat a request as invalid if the > >> Host header doesn't match the name (or alias) of any <Host> configured. > >> > >> -chris > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >