Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

2017-05-22 Thread Cai, Charles [COMRES/RTC/RTC]
Hi there, 


Server Specs:
Server version: Apache Tomcat/7.0.54
Server built:   May 19 2014 10:26:15
Server number:  7.0.54.0
OS Name:Windows Server 2012
OS Version: 6.2
Architecture:   amd64
JVM Version:1.8.0_121-b13
JVM Vendor: Oracle Corporation


I'm currently on the process of trying fix a site vulnerability, basically it 
is one type of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website 
www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" 
header point to www.hacker.com, my site will create a redirect to 
www.mywebsite.com along with whatever the url it was. e.g.

Normal:
Host: www.mywebsite.com 
GET  www.mywebsite.com/get/some/resources/
Response 200 ok

Hack:
Host: www.hacker.com (#been manually modified) 
GET  www.mywebsite.com/get/some/resources/
Response 302 
Send another Redirect to www.hacker.com/get/some/resources 
My website is running on Tomcat 7, I tried some solution with set up the 
virtual host by point the unknown host to a defaultlocalhost which supposed to 
do nothing. but it still send the redirect for some reason.

Here attached is my server.xml host configure:

  



  

  
  

So, my question is, Am I on the right track to prevent this kind of attack ? If 
yes, what I did wrong that still not working? (The ultimate goal is, if it is 
not the legit Host that been passed in, the request should be 
discard/ignored/return 404 but not redirect with 302)

Thank you in advance.

More references about the attack here : 
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html 
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling 

Original Post on stackoverflow:  
https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack
 

Charles Cai | Web Application Developer | RIDGID
Emerson Commercial & Residential Solutions |
charles@emerson.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

2017-05-23 Thread Cai, Charles [COMRES/RTC/RTC]



Charles Cai | T +1 440 329 4888

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Monday, May 22, 2017 3:19 PM
To: users@tomcat.apache.org
Subject: Re: Question about Tomcat Virtual Host to prevent 
Improper-Input-Handling attack

On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:
> Hi there,
>
> __
> __
> Server Specs:
> Server version: Apache Tomcat/7.0.54
> Server built:   May 19 2014 10:26:15
> Server number:  7.0.54.0
> OS Name:Windows Server 2012
> OS Version: 6.2
> Architecture:   amd64
> JVM Version:1.8.0_121-b13
> JVM Vendor: Oracle Corporation
> __
> __
>
> I'm currently on the process of trying fix a site vulnerability, basically it 
> is one type of the "Improper Input Handling" attack.
>
> Let's say my website is www.mywebsite.com and there is hacker's 
> website www.hacker.com
>
> whenever there is a request send to www.mywebsite.com with modified "Host" 
> header point to www.hacker.com, my site will create a redirect to 
> www.mywebsite.com along with whatever the url it was. e.g.
>
> Normal:
> Host: www.mywebsite.com
> GET  www.mywebsite.com/get/some/resources/
> Response 200 ok
>
> Hack:
> Host: www.hacker.com (#been manually modified) GET  
> www.mywebsite.com/get/some/resources/
> Response 302
> Send another Redirect to www.hacker.com/get/some/resources My website 
> is running on Tomcat 7, I tried some solution with set up the virtual host by 
> point the unknown host to a defaultlocalhost which supposed to do nothing. 
> but it still send the redirect for some reason.
>
> Here attached is my server.xml host configure:
> __
> __  jvmRoute="jvm1">   unpackWARs="true" autoDeploy="false" deployOnStartup="true">
>
>   directory="logs"
> prefix="localhost_access_log." suffix=".txt"
> pattern="%h %l %u %t %r %s %b" />
>
>
>
>
> __
> __ So, my question is, Am I on the right track to prevent this 
> kind of attack ? If yes, what I did wrong that still not working? (The 
> ultimate goal is, if it is not the legit Host that been passed in, the 
> request should be discard/ignored/return 404 but not redirect with 
> 302)
>

Hi.
The first thing is, as far as I know, Tomcat *by itself* will not generate this 
redirect response.
But an application deployed inside Tomcat might do that, perhaps.

With the above configuration, this is what happens :

 > 

 >
 >

1) Any request coming in to your server, which has a Host: HTTP header which is 
not "recognised" by Tomcat, will be processed by this "defaultlocalhost" 
virtual Host.
See :  http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes

2) this default virtual Host, as defined above, has an appBase="webapps", just 
like the other Host which you defined.
That is because "webapps" is the *default* value for this attribute, and you 
did not specify it otherwise in your "defaultlocalhost".
See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

3) thus, if your normal application corresponding to the URI 
get/some/resources/) is deployed under (tomcat_dir)/webapps, then your 
application will be called when anyone sends the following HTTP request to your 
server :

GET get/some/resources/ HTTP/1.1
Host: evil.hackers.com (or whatever is not "www.mywebsite.com")

What your application then does with this call, is up to your application.
If it is some kind of framework, it might very well decide to return a redirect 
response.
But that is not tomcat code.

If you want to protect against this, then you should provide your 
"defaultlocalhost" with a real appBase, different from the standard "webapps", 
and maybe put a default application there which returns a lit cluster bomb to 
the evil hacker.
(or more reasonably, a "not found" response; which tomcat will do by itself if 
there is nothing there that matches the request URI).

Note that in addition, with your above configuration, there should be warnings 
in the tomcat logfile, because your application will be deployed twice : once 
for the "defaultlocalhost" Host, and once for the "www.mywebsite.com" Host.



> Thank you in advance.
>
> More references about the attack here :
> http://www.skeletonsc

RE: Tomcat URL encoding

2017-06-15 Thread Cai, Charles [COMRES/RTC/RTC]
Sorry, I forgot mention, I already add the following to the catalina.properties 
file. 

org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true 

It didn't seems worked for me neither. 

Charles Cai | T +1 440 329 4888

-Original Message-
From: Rossen Stoyanchev [mailto:rstoyanc...@pivotal.io] 
Sent: Thursday, June 15, 2017 3:11 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat URL encoding

You need to enable this through the ALLOW_BACKSLASH property:
https://tomcat.apache.org/tomcat-8.5-doc/config/systemprops.html

On Thu, Jun 15, 2017 at 2:44 PM, Cai, Charles [COMRES/RTC/RTC] < 
charles@emerson.com> wrote:

> Hi Guys,
>
> Looking for help here after search on the web for couple hours:
>
> I'm currently doing some testing on Tomcat 8.5.9   I'm trying to encode
> all the URL that is requesting to my server.
> One thing I have noticed it wasn't working is the `\` (back slash) 
> can't be allowed in the URL.
>
> I'm getting the error saying:
> INFO [https-jsse-nio-8443-exec-10] 
> org.apache.coyote.http11.Http11Processor.service
> Error parsing HTTP request header
>  Note: further occurrences of HTTP header parsing errors will be 
> logged at DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in the 
> request target. The valid characters are defined in RFC 7230 and RFC 
> 3986
>
> The test requesting URL is like this:
> https://localhost:8443/passthrough.jsp?ntUserName=comany\testuser
>
> Currenty, I tried those two approachs:
> 1st, set the server.xml with URIEncoding:
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
>
> 2nd, add the following filter:
> https://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q1
>
> It should be like this after the encoding (replace `\` with `%5C` ) :
> https://localhost:8443/passthrough.jsp?ntUserName=comany%5Ctestuser
>
> but none of those options worked for me.
>
> Thank you
>
> Charles Cai
>
>


Tomcat URL encoding

2017-06-15 Thread Cai, Charles [COMRES/RTC/RTC]
Hi Guys,

Looking for help here after search on the web for couple hours:

I'm currently doing some testing on Tomcat 8.5.9   I'm trying to encode all the 
URL that is requesting to my server.
One thing I have noticed it wasn't working is the `\` (back slash) can't be 
allowed in the URL.

I'm getting the error saying:
INFO [https-jsse-nio-8443-exec-10] 
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request 
header
 Note: further occurrences of HTTP header parsing errors will be logged at 
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request 
target. The valid characters are defined in RFC 7230 and RFC 3986

The test requesting URL is like this:
https://localhost:8443/passthrough.jsp?ntUserName=comany\testuser

Currenty, I tried those two approachs:
1st, set the server.xml with URIEncoding:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

2nd, add the following filter:
https://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q1

It should be like this after the encoding (replace `\` with `%5C` ) :
https://localhost:8443/passthrough.jsp?ntUserName=comany%5Ctestuser

but none of those options worked for me.

Thank you

Charles Cai