Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Cai, Charles [COMRES/RTC/RTC]]

Hi there, 


Server Specs:
Server version: Apache Tomcat/7.0.54
Server built:   May 19 2014 10:26:15
Server number:  7.0.54.0
OS Name:Windows Server 2012
OS Version: 6.2
Architecture:   amd64
JVM Version:1.8.0_121-b13
JVM Vendor: Oracle Corporation


I'm currently on the process of trying fix a site vulnerability, basically it 
is one type of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website 
www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" 
header point to www.hacker.com, my site will create a redirect to 
www.mywebsite.com along with whatever the url it was. e.g.

Normal:
Host: www.mywebsite.com 
GET  www.mywebsite.com/get/some/resources/
Response 200 ok

Hack:
Host: www.hacker.com (#been manually modified) 
GET  www.mywebsite.com/get/some/resources/
Response 302 
Send another Redirect to www.hacker.com/get/some/resources 
My website is running on Tomcat 7, I tried some solution with set up the 
virtual host by point the unknown host to a defaultlocalhost which supposed to 
do nothing. but it still send the redirect for some reason.

Here attached is my server.xml host configure:

  



  

  
  

So, my question is, Am I on the right track to prevent this kind of attack ? If 
yes, what I did wrong that still not working? (The ultimate goal is, if it is 
not the legit Host that been passed in, the request should be 
discard/ignored/return 404 but not redirect with 302)

Thank you in advance.

More references about the attack here : 
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html 
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling 

Original Post on stackoverflow:  
https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack
 

Charles Cai | Web Application Developer | RIDGID
Emerson Commercial & Residential Solutions |
charles@emerson.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[tomcat]

On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:

Hi there,


Server Specs:
Server version: Apache Tomcat/7.0.54
Server built:   May 19 2014 10:26:15
Server number:  7.0.54.0
OS Name:Windows Server 2012
OS Version: 6.2
Architecture:   amd64
JVM Version:1.8.0_121-b13
JVM Vendor: Oracle Corporation


I'm currently on the process of trying fix a site vulnerability, basically it is one type 
of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website 
www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" 
header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along 
with whatever the url it was. e.g.

Normal:
Host: www.mywebsite.com
GET  www.mywebsite.com/get/some/resources/
Response 200 ok

Hack:
Host: www.hacker.com (#been manually modified)
GET  www.mywebsite.com/get/some/resources/
Response 302
Send another Redirect to www.hacker.com/get/some/resources
My website is running on Tomcat 7, I tried some solution with set up the 
virtual host by point the unknown host to a defaultlocalhost which supposed to 
do nothing. but it still send the redirect for some reason.

Here attached is my server.xml host configure:




 
   

   
   

So, my question is, Am I on the right track to prevent this kind of attack ? If 
yes, what I did wrong that still not working? (The ultimate goal is, if it is 
not the legit Host that been passed in, the request should be 
discard/ignored/return 404 but not redirect with 302)



Hi.
The first thing is, as far as I know, Tomcat *by itself* will not generate this redirect 
response.

But an application deployed inside Tomcat might do that, perhaps.

With the above configuration, this is what happens :

> 

>
>

1) Any request coming in to your server, which has a Host: HTTP header which is not 
"recognised" by Tomcat, will be processed by this "defaultlocalhost" virtual Host.

See :  http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes

2) this default virtual Host, as defined above, has an appBase="webapps", just like the 
other Host which you defined.
That is because "webapps" is the *default* value for this attribute, and you did not 
specify it otherwise in your "defaultlocalhost".

See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

3) thus, if your normal application corresponding to the URI get/some/resources/) is 
deployed under (tomcat_dir)/webapps, then your application will be called when anyone 
sends the following HTTP request to your server :


GET get/some/resources/ HTTP/1.1
Host: evil.hackers.com (or whatever is not "www.mywebsite.com")

What your application then does with this call, is up to your application.
If it is some kind of framework, it might very well decide to return a redirect 
response.
But that is not tomcat code.

If you want to protect against this, then you should provide your "defaultlocalhost" with 
a real appBase, different from the standard "webapps", and maybe put a default application 
there which returns a lit cluster bomb to the evil hacker.
(or more reasonably, a "not found" response; which tomcat will do by itself if there is 
nothing there that matches the request URI).


Note that in addition, with your above configuration, there should be warnings in the 
tomcat logfile, because your application will be deployed twice : once for the 
"defaultlocalhost" Host, and once for the "www.mywebsite.com" Host.





Thank you in advance.

More references about the attack here :
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling

Original Post on stackoverflow:  
https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack

Charles Cai | Web Application Developer | RIDGID
Emerson Commercial & Residential Solutions |
charles@emerson.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Getting list of session for different contexts

[Daga, Harshit]

Hi,

I am trying to do the following. As part of the tomcat startup I have added a 
listener. This listener starts a thread and that thread will open a socket 
connection. I am doing so to record the time taken to access and get the 
information from the tomcat server. If I use Jmx it is taking slightly more 
time, thus I am experimenting using direct socket connection.

Now I want to get the list of sessions from different contexts. Kindly, let me 
know how can I get list of sessions for different contexts?
I guess I can get the list of sessions from StandarManager class but how to get 
the instant of this class for different contexts?


Thanks & Regards,
Harshit Daga

WebSocket - Client doesn't receive server messages

[Simon De Uvarow]

Hi, I'm having a strange issue:

I'm developing a frontend with WebSockets, (my first WebSocket! ). To test
the code I'm also developing some tests to run in Eclipse.

So, I create a Client in the Test, connect to the server, and want to have
some communication.
I added lot of logs to debug the issue:

- *WebsocketClientEndpoint*:33 - Connect to server
- *WebsocketClientEndpoint*:41 - Before Request: Cookie,
JSESSIONID=A65A4F5711DC8820C246DDD45A409BFA
- WebSocketFilter:38 - Filter executing ..
- *WebsocketClientEndpoint*:64 - opening websocket
- WebSocketServer:59 - 1 has opened a connection
- WebSocketServer:64 - clientIP: 127.0.0.1
- *WebsocketClientEndpoin*t:113 - sendMessage 
- WebSocketServer:75 - onMessage: .
- WebSocketServer:117 - Send OK message

At the end, the server sends a response ("OK"), and the client waits for
the response of the server.
But the client doesn't receive it, no mater how long I wait.
I debug the Tomcats code, but couldn't find the issue.
It's not clear for me the point where the library writes the information in
the socket.

This is how I send the response from the server:

*WFMWebSocketServer*

  * @OnMessage*
   public void onMessage(String message) {
  ..
 // Send OK response
 try {
logger.debug("Send OK message");
*session.getBasicRemote().sendText("OK");*
 } catch (IOException e) {
e.printStackTrace();
 }
 .
   }

The following is the @OnOpen code:

   *@OnOpen*
   public void onOpen(Session session) {

  this.session = session;
  logger.info(session.getId() + " has opened a connection");
  final PrincipalWithRemoteAddress pws = ((PrincipalWithRemoteAddress)
session.getUserPrincipal());
  remoteAdr = pws == null ? null : pws.getRemoteAdr();

  try {
* session.getBasicRemote().sendText("OK");*
  } catch (IOException e) {
 e.printStackTrace();
  }
   }

Also the previous "OK" message is not received in the client, I don't see
the log of it in the console:


*WebsocketClientEndpoint*
   @OnMessage
   public void onMessage(String message) {
  logger.debug("onMessage: " + message);

  if (this.messageHandler != null) {
 this.messageHandler.handleMessage(message);
  }
   }


Any idea why I am having just like half duplex communication ?
Or any idea how to debug or analyze the issue in order to fix it?

The version of the libraries and Tomcat I'm using is:
8.5.15

Thanks!


"No olvides, no traiciones, lo que llevas bien dentro de ti. No olvides, no
traiciones, lo que siempre te ha hecho vivir."