Pradeep,
On 9/10/21 17:38, Pradeep wrote:
My application is HTTPS not HTTP and now one of the application security
platforms WhitHatSec raised this vulnerability issue.
I tried to reproduce your "attack" on Tomcat 8.5.59, like this:
$ cat forge
GET www.microsoft.com/ HTTP/1.1
Host: www.microsoft.com
$ od -t x1 -a forge
0000000 47 45 54 20 77 77 77 2e 6d 69 63 72 6f 73 6f 66
G E T sp w w w . m i c r o s o f
0000020 74 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31 0d
t . c o m / sp H T T P / 1 . 1 cr
0000040 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 69 63 72 6f
nl H o s t : sp w w w . m i c r o
0000060 73 6f 66 74 2e 63 6f 6d 0d 0a 0d 0a
s o f t . c o m cr nl cr nl
$ nc tomcat 8080 < forge
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 795
Date: Mon, 13 Sep 2021 13:22:51 GMT
Connection: close
<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad
Request</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Status
Report</p><p><b>Message</b> Invalid URI</p><p><b>Description</b> The
server cannot or will not process the request due to something that is
perceived to be a client error (e.g., malformed request syntax, invalid
request message framing, or deceptive request routing).</p><hr
class="line" /><h3>
Changing the "www.microsoft.com" to "http://www.microsoft.com"; returns
this:
HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:25:22 GMT
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not
Found</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status
Report</p><p><b>Message</b> The requested resource [/] is not
available</p><p><b>Description</b> The origin server did not find a
current representation for the target resource or is not willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/8.5.59</h3></body></html>
Removing the "www.microsoft.com" from the request-line returns this:
HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:24:34 GMT
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not
Found</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status
Report</p><p><b>Message</b> The requested resource [/] is not
available</p><p><b>Description</b> The origin server did not find a
current representation for the target resource or is not willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/8.5.59</h3></body></html>
Please show me what (exact) steps are required to reproduce this issue.
Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well
as your Tomcat 7.0.x version.
I tried the above configuration mentioned but no luck but this
configuration advised in Apache website
http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters
> to filter Host Header. I understand this is trivial but I have to fix
and I think I should handle it in the application server Tomcat7.
You can't filter-out the Host header. Well, not effectively.
I tried the below configuration but still validation is not working,
it's still redirecting other Host Headers. Please let me know what
else configuration I can try >
> <Host name="defaultlocalhost" appbase="whatever">
> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
> allow=".*\.myapplication1\.com|.*\myapplication2\.com"/>
> </Host>
You misunderstand the purpose of the RemoteAddrValve[1].
The valve enforces client identity, not the host the client is trying to
access. It also works on IP addresses, not hostnames. I'm surprised you
were able to access anything at all.
-chris
[1]
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve
On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Pradeep,
On 9/10/21 06:19, Pradeep wrote:
Hi Team,
I need your help to fix HTTP Host header attacks.
I'm currently in the process of trying to fix a site vulnerability,
basically it is one type of the "Improper Input Handling" attack.
Let's say my website is www.mywebsite.com and there is hacker's
website
www.hacker.com
Whenever there is a request send to www.mywebsite.com with modified
"Host"
header point to www.hacker.com, my site will create a redirect to
www.mywebsite.com along with whatever the url it was. e.g.
*Normal:*
Host: www.mywebsite.com
GET www.mywebsite.com/get/some/resources/
Reponse 200 ok
*Hack:*Host: www.hacker.com (#been manually modified)
GET www.mywebsite.com/get/some/resources/
Response 302
Send another Redirect to www.hacker.com/get/some/resources
I have found this configuration below for tomcat (my application using
Tomcat7) is this works for case? Also I have some existing Host name in
server.xml not sure how to incorporate both Host configuration, please
help
me on this.
*Solution I found :*
<Host name="defaultlocalhost" appbase="whatever" >
</Host>
*My tomcat existing Host configuration:*
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
I'm not sure why the above configuration would change anything. Can you
explain?
Please note that the "attacker" in this situation can only attack
himself. Injecting/modifying a header into an HTTP request can only be
done if the attacker is in a MitM position, which should not be possible
when using HTTPS. If using HTTP, then you are on your own and this
attack is trivial.
Assuming there is no MitM, it is challenging to cause another client to
use a header of the attacker's choosing.
Unless this is simply an academic question.
I always use Tomcat configured with a "default" <Host>, but I suspect
there may be a way to force Tomcat to treat a request as invalid if the
Host header doesn't match the name (or alias) of any <Host> configured.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
