Re: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 5/22/17 3:19 PM, André Warnier (tomcat) wrote: > On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote: >> Here attached is my server.xml host configure: >> _ ___ >> >> >> >> > unpackWARs="true" autoDeploy="false" deployOnStartup="true"> >> >> > directory="logs" prefix="localhost_access_log." suffix=".txt" >> pattern="%h %l %u %t %r %s %b" /> >> >> >> _ ___ >> > >> > With the above configuration, this is what happens : > > 1) Any request coming in to your server, which has a Host: HTTP > header which is not "recognised" by Tomcat, will be processed by > this "defaultlocalhost" virtual Host. See : > http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes > > 2) this default virtual Host, as defined above, has an > appBase="webapps", just like the other Host which you defined. That > is because "webapps" is the *default* value for this attribute, > and you did not specify it otherwise in your "defaultlocalhost". > See : > http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes +1 > this is most likely the problem here. Try or something similar. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkkdt8ACgkQHPApP6U8 pFhxfA//UqEK1RpuKiLi8YiwLGzIuwVXOUF4uCYC+gq9P6DbxqDWYcKMdqFaXULo 4NowG1hO1IoW2+Kd8ilH44ip5/DoZu8v+4Ir1NYIEmNlXQ3IvNcLuZGlLHVH7QaJ 7ES3tOrR+vcoP+kdE7hbsWu1Oz1Kyns3fuL2v9lxiCRX22RQGrznsx1dJbuJCpIs nvmjvONxyGRSRHV88qGX+WymCkdGmhr0x1pN59JzqptCh9yqxg3aPmYA0Z1vvMQe uSUfWBZw5K0G/h/A7jGPpwI33PZqNI5AnIJg0qFizto5B+EnMtQOHgi5Nac7oBey SeA84bopU1zMzSf+g4HGsqO7iVqENp9ZPCg3eZ4SpXajV4d39L928eCCH7n0qPlm ppOEuBlt/w2DTwyo0i5Wa0hbBdjPttFiQ07/H5nGkYWphAno6qwn7FwPkBCT1IlQ DHeVkJ7am96yPZF0WPuIypd3gdsvzWAZJQsnjYEvysMNBQx2Nihfh+LgKV47Ft+M GAPpTz6yHvi0NpaAGMnvzh4khZFVoRB1A0B4GoV05xNxidHuGnXAHoVMBCuUl9gD I80IOCLonzCjOofHO9TK6zDHdusKFQPFMsBPEmFVOVbl7KGy+7Dx7RZRt9SfTMfY JSU18NYB1JuO/FFnygB8jm8kYw1Ng5uLV8ZXNFeHN1/pFa5eFt4= =bSQc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack
Charles Cai | T +1 440 329 4888 -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Monday, May 22, 2017 3:19 PM To: users@tomcat.apache.org Subject: Re: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote: > Hi there, > > __ > __ > Server Specs: > Server version: Apache Tomcat/7.0.54 > Server built: May 19 2014 10:26:15 > Server number: 7.0.54.0 > OS Name:Windows Server 2012 > OS Version: 6.2 > Architecture: amd64 > JVM Version:1.8.0_121-b13 > JVM Vendor: Oracle Corporation > __ > __ > > I'm currently on the process of trying fix a site vulnerability, basically it > is one type of the "Improper Input Handling" attack. > > Let's say my website is www.mywebsite.com and there is hacker's > website www.hacker.com > > whenever there is a request send to www.mywebsite.com with modified "Host" > header point to www.hacker.com, my site will create a redirect to > www.mywebsite.com along with whatever the url it was. e.g. > > Normal: > Host: www.mywebsite.com > GET www.mywebsite.com/get/some/resources/ > Response 200 ok > > Hack: > Host: www.hacker.com (#been manually modified) GET > www.mywebsite.com/get/some/resources/ > Response 302 > Send another Redirect to www.hacker.com/get/some/resources My website > is running on Tomcat 7, I tried some solution with set up the virtual host by > point the unknown host to a defaultlocalhost which supposed to do nothing. > but it still send the redirect for some reason. > > Here attached is my server.xml host configure: > __ > __ jvmRoute="jvm1"> unpackWARs="true" autoDeploy="false" deployOnStartup="true"> > > directory="logs" > prefix="localhost_access_log." suffix=".txt" > pattern="%h %l %u %t %r %s %b" /> > > > > > __ > __ So, my question is, Am I on the right track to prevent this > kind of attack ? If yes, what I did wrong that still not working? (The > ultimate goal is, if it is not the legit Host that been passed in, the > request should be discard/ignored/return 404 but not redirect with > 302) > Hi. The first thing is, as far as I know, Tomcat *by itself* will not generate this redirect response. But an application deployed inside Tomcat might do that, perhaps. With the above configuration, this is what happens : > > > 1) Any request coming in to your server, which has a Host: HTTP header which is not "recognised" by Tomcat, will be processed by this "defaultlocalhost" virtual Host. See : http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes 2) this default virtual Host, as defined above, has an appBase="webapps", just like the other Host which you defined. That is because "webapps" is the *default* value for this attribute, and you did not specify it otherwise in your "defaultlocalhost". See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes 3) thus, if your normal application corresponding to the URI get/some/resources/) is deployed under (tomcat_dir)/webapps, then your application will be called when anyone sends the following HTTP request to your server : GET get/some/resources/ HTTP/1.1 Host: evil.hackers.com (or whatever is not "www.mywebsite.com") What your application then does with this call, is up to your application. If it is some kind of framework, it might very well decide to return a redirect response. But that is not tomcat code. If you want to protect against this, then you should provide your "defaultlocalhost" with a real appBase, different from the standard "webapps", and maybe put a default application there which returns a lit cluster bomb to the evil hacker. (or more reasonably, a "not found" response; which tomcat will do by itself if there is nothing there that matches the request URI). Note that in addition, with your above configuration, there should be warnings in the tomcat logfile, because your application will be deployed twice : once for the "defaultlocalhost" Host, and once for the "www.mywebsite.com" Host. > Thank you in advance. > > More references about the attack here : > http://www.skeletonsc
Re: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack
On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote: Hi there, Server Specs: Server version: Apache Tomcat/7.0.54 Server built: May 19 2014 10:26:15 Server number: 7.0.54.0 OS Name:Windows Server 2012 OS Version: 6.2 Architecture: amd64 JVM Version:1.8.0_121-b13 JVM Vendor: Oracle Corporation I'm currently on the process of trying fix a site vulnerability, basically it is one type of the "Improper Input Handling" attack. Let's say my website is www.mywebsite.com and there is hacker's website www.hacker.com whenever there is a request send to www.mywebsite.com with modified "Host" header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along with whatever the url it was. e.g. Normal: Host: www.mywebsite.com GET www.mywebsite.com/get/some/resources/ Response 200 ok Hack: Host: www.hacker.com (#been manually modified) GET www.mywebsite.com/get/some/resources/ Response 302 Send another Redirect to www.hacker.com/get/some/resources My website is running on Tomcat 7, I tried some solution with set up the virtual host by point the unknown host to a defaultlocalhost which supposed to do nothing. but it still send the redirect for some reason. Here attached is my server.xml host configure: So, my question is, Am I on the right track to prevent this kind of attack ? If yes, what I did wrong that still not working? (The ultimate goal is, if it is not the legit Host that been passed in, the request should be discard/ignored/return 404 but not redirect with 302) Hi. The first thing is, as far as I know, Tomcat *by itself* will not generate this redirect response. But an application deployed inside Tomcat might do that, perhaps. With the above configuration, this is what happens : > > > 1) Any request coming in to your server, which has a Host: HTTP header which is not "recognised" by Tomcat, will be processed by this "defaultlocalhost" virtual Host. See : http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes 2) this default virtual Host, as defined above, has an appBase="webapps", just like the other Host which you defined. That is because "webapps" is the *default* value for this attribute, and you did not specify it otherwise in your "defaultlocalhost". See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes 3) thus, if your normal application corresponding to the URI get/some/resources/) is deployed under (tomcat_dir)/webapps, then your application will be called when anyone sends the following HTTP request to your server : GET get/some/resources/ HTTP/1.1 Host: evil.hackers.com (or whatever is not "www.mywebsite.com") What your application then does with this call, is up to your application. If it is some kind of framework, it might very well decide to return a redirect response. But that is not tomcat code. If you want to protect against this, then you should provide your "defaultlocalhost" with a real appBase, different from the standard "webapps", and maybe put a default application there which returns a lit cluster bomb to the evil hacker. (or more reasonably, a "not found" response; which tomcat will do by itself if there is nothing there that matches the request URI). Note that in addition, with your above configuration, there should be warnings in the tomcat logfile, because your application will be deployed twice : once for the "defaultlocalhost" Host, and once for the "www.mywebsite.com" Host. Thank you in advance. More references about the attack here : http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling Original Post on stackoverflow: https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack Charles Cai | Web Application Developer | RIDGID Emerson Commercial & Residential Solutions | charles@emerson.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org