AW: HSTS on 401 / error pages

Sun, 17 Sep 2023 00:27:41 -0700 

Hello,

thanks for all your suggestions and input and also Chris for digging into the 
underlying reason.
As tomcat is running standalone I think I will leave it as it is.
Setting up a reverse proxy or containerization for this reason sounds like 
overdoing it in this case.

I will take it as a "cosmetic imperfection" and maybe ask also the 
burpsuite-team if this finding is justified.

I wish all a nice weekend!
Thomas

> -----Ursprüngliche Nachricht-----
> Von: Roberto Benedetti <roberto.benede...@dedalus.eu>
> Gesendet: Samstag, 16. September 2023 11:46
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: R: HSTS on 401 / error pages
> 
> If you have a fronting reverse proxy/load balancer (HAProxy, NGINX,
> Apache) you can use them to set HSTS and let Tomcat set the other security
> headers.
> If your application is running in a container (Kubernetes, Openshift, OKD),
> they all have the option to add HSTS in Ingress/Route. Again, the other
> security options are left to Tomcat.
> 
> We had the same issue and that's how we passed the pen-test.
> 
> Roberto
> 
> -----Messaggio originale-----
> Da: Peter Kreuser <l...@kreuser.name>
> Inviato: venerdì 15 settembre 2023 21:34
> A: Tomcat Users List <users@tomcat.apache.org>
> Oggetto: Re: HSTS on 401 / error pages
> 
>   CAUTION - This e-mail originates outside of Dedalus. Be vigilant with
> content, links and attachments!
> 
> d) !!!
> 
> BTW: HSTS needs to be evaluated only once and then sticks in the browser!
> So unless the 401 is the first page ever, this change would not be really
> necessary.
> 
> Peter
> 
> > Am 15.09.2023 um 17:58 schrieb Thomas Hoffmann (Speed4Trade GmbH)
> <thomas.hoffm...@speed4trade.com.invalid>:
> >
> > Hello Christ,
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Christopher Schultz <ch...@christopherschultz.net>
> >> Gesendet: Freitag, 15. September 2023 17:15
> >> An: users@tomcat.apache.org
> >> Betreff: Re: AW: HSTS on 401 / error pages
> >>
> >> Thomas,
> >>
> >>> On 9/14/23 10:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >>> Hello Chris,
> >>>
> >>>> -----Ursprüngliche Nachricht-----
> >>>> Von: Christopher Schultz <ch...@christopherschultz.net>
> >>>> Gesendet: Donnerstag, 14. September 2023 15:26
> >>>> An: users@tomcat.apache.org
> >>>> Betreff: Re: HSTS on 401 / error pages
> >>>>
> >>>> Thomas,
> >>>>
> >>>> Please start a new thread next time.
> >>>
> >>> Sorry, I thought removing all content and subject is sufficient.
> >>> Maybe the message-id header is used internally(?)
> >>
> >> Absolutely. That's what "reply" does on a mailing list...
> >>
> >>>
> >>>> On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >>>>> Hello everyone,
> >>>>>
> >>>>> I would like to get your opinion about the
> >>>>> HttpHeaderSecurityFilter in
> >>>> Tomcat.
> >>>>> I configured HSTS in Tomcat and it works well.
> >>>>> When I do a pen-test with burpsuite it complains that HSTS header
> >>>>> is
> >>>> missing on 401 responses.
> >>>>> I couldn’t find much information about whether HSTS makes sense
> >>>>> for
> >>>> error pages.
> >>>>>
> >>>>> It seems that Tomcat doesn’t send HSTS on 401 pages but
> >>>>> burpsuite
> >>>> expects the header.
> >>>>> Are there any pros and cons about sending HSTS on 401 response?
> >>>>
> >>>> You should always return an HSTS header.
> >>>>
> >>>> How have you configured your HttpHeaderSecurityFilter? What is
> >>>> causing the
> >>>> 401 response? Which application is responding with that status?
> >>>>
> >>>> -chris
> >>>>
> >>>
> >>> Here are the requested details:
> >>>
> >>> SecurityFilter is set in the web.xml of the application:
> >>> <filter>
> >>>        <filter-name>httpHeaderSecurity</filter-name>
> >>>        <filter-
> >> class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-cl
> >> class>ass>
> >>>        <async-supported>true</async-supported>
> >>>        <init-param>
> >>>             <param-name>hstsEnabled</param-name>
> >>>             <param-value>true</param-value>
> >>>        </init-param>
> >>> ...
> >>>
> >>> Further down in the web.xml is a constraint:
> >>>    <security-constraint>
> >>>          <web-resource-collection>
> >>>              <web-resource-name>xxx</web-resource-name>
> >>>              <url-pattern>/*</url-pattern>
> >>>          </web-resource-collection>
> >>>
> >>>          <auth-constraint>
> >>>              <role-name>yyy</role-name>
> >>>          </auth-constraint>
> >>>
> >>>          <user-data-constraint>
> >>>              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >>>          </user-data-constraint>
> >>>      </security-constraint>
> >>>
> >>>
> >>> There is no frontend-server, tomcat is directly accessed from the
> browser.
> >>> It seems that burpsuite didn’t send authentication in the first
> >>> place and this
> >> resulted in 401.
> >>>
> >>> If I use curl https://<domain>/  I get similar result:
> >>> < HTTP/1.1 401
> >>> < WWW-Authenticate: Negotiate
> >>> < Content-Type: text/html;charset=utf-8 < Content-Language: de <
> >>> Content-Length: 439 < Date: Thu, 14 Sep 2023 13:58:10 GMT
> >>>
> >>> When providing credentials to curl, the following headers are also
> included:
> >>> < Strict-Transport-Security: max-age=31536000;includeSubDomains
> >>> < X-Frame-Options: DENY
> >>> < X-Content-Type-Options: nosniff
> >>> < X-XSS-Protection: 1; mode=block
> >>>
> >>> I hope this information helps.
> >>
> >> Authentication is checked before any filters run, because
> >> authentication is performed by a Valve, all of which run before any Filters
> run.
> >>
> >> I'm not sure there is a way around this without
> >>
> >> a. Using a fronting server of some kind b. Getting a change of some
> >> kind made to Tomcat c. Hacking this yourself
> >>
> >> (b) is probably the best option, though I'm not sure what the best
> >> form of server-support for this would be.
> >>
> >> Making HttpHeaderSecurity available in a Valve-packaging would do the
> >> trick, but maybe this makes sense to add at a more fundamental level to
> Tomcat.
> >> The problem is that HSTS is only one of many security-related headers
> >> and maybe it's potential lifetime isn't that long. My guess is that
> >> sometime in the near future, TLS will simply be required for all web
> >> traffic. If we bake that kind of thing into core-Tomcat, it becomes
> >> something we will need to un- bake in the future, and chefs can tell
> >> you that un-baking things rarely works out well.
> >>
> >> -chris
> >>
> >> ---------------------------------------------------------------------
> >
> > Thanks for your elaboration!
> > The security headers change from time to time, true.
> > Maybe it would be possible to provide a kind of "http-header-valve" which
> can be configured which headers to add?
> > Then you wouldn’t have a tight coupling and when headers change, you
> can adjust the configuration without changing code.
> > It would not be as comfortable as the HttpHeaderSecurityFilter but more
> flexible.
> >
> > Option d) would be to ignore the reported finding of the pen-testing
> > tool 😉
> >
> > Greetings,
> > Thomas
> >
> >
> B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> KKKKKKKKKKK
> > KCB•È[œÝXœØÜšX™KK[XZ[
> ˆ\Ù\œË][œÝXœØÜšX™PÛXØ]
> > ˜\XÚK›Ü™ÃB‘›ÜˆY][Û˜[ÛÛ[X[™ËK[XZ[
> ˆ\Ù\œËZ[ÛXØ]
> > ˜\XÚK›Ü™ÃBƒ
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> B
> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> KKKKKKKKKKCB  [  X  ܚX KK[XZ[
> 
>  \ \  ][  X  ܚX P X ]
>  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
> 
>  \ \  Z[ X ]
>  \X K ܙ B

Reply via email to