Re: Host Header Injection Solution
Hi Martin,
Thank you very much, we'll go that route!
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
From: Martin Grigorov
Sent: Tuesday, November 8, 2022 3:18 AM
To: users@wicket.apache.org
Subject: Re: Host Header Injection Solution
Hi Jonathan,
On Tue, Nov 8, 2022 at 4:39 AM Jonathan P. Babie
wrote:
> Hello,
>
> Our Wicket web application went through an app scan. We understand most
> problems that came back from the report and have solutions, but one that's
> troubling us is:
>
>
> I've omitted our URLs, but essentially it seems they were able to
> manipulate the hostname to a different url.
>
> Unfortunately we weren't given much context aside from this report.
>
> We assume that there are three avenues for us to resolve this:
>
>1. Wicket configuration
>2. Server configuration
>3. Non-issue (if this problem is addressed with the framework itself
>and we don't need to worry about it)
>
> We did come across this filter that might be a solution:
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
>
> Would adding this to our application resolve the above problem?
>
Yes!
This should be the solution!
>
> If there's any information you could provide as to how we can address it,
> we would greatly appreciate it.
>
> Thank you,
>
> Jonathan Babie
>
> Java Applications Developer
>
> Work: (838) 910-4274
>
> Personal: (518) 331-8758
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if you
> have received this communication in error and delete this email from your
> system. If you are not the intended recipient, you are requested not to
> disclose, copy, distribute or take any action in reliance on the contents
> of this information.
>
Notice: This communication, including any attachments, is intended solely for
the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure under
State and/or Federal law. Please notify the sender immediately if you have
received this communication in error and delete this email from your system. If
you are not the intended recipient, you are requested not to disclose, copy,
distribute or take any action in reliance on the contents of this information.
Re: Host Header Injection Solution
Hi Jonathan,
On Tue, Nov 8, 2022 at 4:39 AM Jonathan P. Babie
wrote:
> Hello,
>
> Our Wicket web application went through an app scan. We understand most
> problems that came back from the report and have solutions, but one that's
> troubling us is:
>
>
> I've omitted our URLs, but essentially it seems they were able to
> manipulate the hostname to a different url.
>
> Unfortunately we weren't given much context aside from this report.
>
> We assume that there are three avenues for us to resolve this:
>
>1. Wicket configuration
>2. Server configuration
>3. Non-issue (if this problem is addressed with the framework itself
>and we don't need to worry about it)
>
> We did come across this filter that might be a solution:
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
>
> Would adding this to our application resolve the above problem?
>
Yes!
This should be the solution!
>
> If there's any information you could provide as to how we can address it,
> we would greatly appreciate it.
>
> Thank you,
>
> Jonathan Babie
>
> Java Applications Developer
>
> Work: (838) 910-4274
>
> Personal: (518) 331-8758
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if you
> have received this communication in error and delete this email from your
> system. If you are not the intended recipient, you are requested not to
> disclose, copy, distribute or take any action in reliance on the contents
> of this information.
>
Re: Host Header Injection Solution
I apologize, it looks like the screenshot I provided didn't come through, here
are the details describing the problem:
Host Header Injection
Severity: Low
CVSS Score: 5.0
URL: https://example.domain.com/lgmm
Entity: lgmm (Page)
Risk: It is possible to persuade a naive user to supply sensitive information
such as username, password, credit card number, social security number etc.
It is possible to deface the site content through web-cache poisoning Cause:
Lack of input validation and sanitization Fix: Construct HTTP headers very
carefully, avoiding the use of non-validated/unsanitized input data Difference:
Header Host manipulated from: https://example.domain.com/lgmm to:
appscanheaderinjection.com
Reasoning: The value AppScan injected seems to be included in the response.
Test Requests and Responses:
GET /lgmm HTTP/1.1
Host: appscanheaderinjection.com
Connection: keep-alive
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://example.domain.com/lgmm
Accept-Language: en-US
Cookie: _ga=GA1.3.1391786996.1665688780; _gid=GA1.3.367705640.123649;
WASJSESSIONID=A4ALFyhmv7lv15hiAc5MRjO:1clm7f9nj; _gat=1;
LtpaToken2=4cbGpnckNcEuOVjnLrtO77dS96v5jomlaNb0QiVW9K9Elp4dZUMwJ9l3ZdUxee6J5WnM1IJX+qfnqBA4Fw6vz753dxnxDb2uvdfb/utmXpiT8O0zVFS4rPCPviz3+NzaeEHYigRKdrCJcgFS8b7IFpklrPbq4byZUS9+Fojo7lqCoWuTzS4YCleCWrH1417WL83blA/CIcJQx9qRJ4PtPN/hK5gJuXY1IN6uRNvKbDKLtpEftuHEu4ldcDP9DrGBfLJS8CZ+Y3WIWxfyG78awGj7pM2c76rqkUxd/jYfFJJA4ja0M4tOh6tkOPqimE1wvSzirmFMcEEDP+Dd9yYfUp2j+ZE1wXysfWZbF9nUotTXqFl28ICw6FurFHSvVgV8nmliIp7LJt7PFG4HPp1Rdk3W5vR921uP3GjMAfkfwpwhzkqV5o8cZCBvJ3th6iTA9ClrZ/VCauBQi9MMmlENrJpkejh+jyQaE8HpuH1AvCBa6hOOyKoaumQpNncQqGQ7DcNHa47seKXzpXJeEJ66nNHmLuSWP1Cpap07p0FUGTFLK68Qp4BoqeoZJQke3BrzwHV9kAXhDEuDxigHJdz/iG9kLExE38SQfljvm0qAGGyzRH4LNpokc+JKVii/bCyI1mCzq+1bEXUMjt7KiXHCgH4v7AdL0Sdajkc9KQb5RLo=
HTTP/1.1 302 Found
Date: Fri, 28 Oct 2022 01:06:10 GMT
X-Powered-By: Servlet/3.1
Location: https://appscanheaderinjection.com/lgmm/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
From: Jonathan P. Babie
Sent: Monday, November 7, 2022 9:38 PM
To: users@wicket.apache.org
Subject: Host Header Injection Solution
Hello,
Our Wicket web application went through an app scan. We understand most
problems that came back from the report and have solutions, but one that's
troubling us is:
[cid:f744744c-2d7a-4cd8-9179-ef02d9dc6ea4]
I've omitted our URLs, but essentially it seems they were able to manipulate
the hostname to a different url.
Unfortunately we weren't given much context aside from this report.
We assume that there are three avenues for us to resolve this:
1. Wicket configuration
2. Server configuration
3. Non-issue (if this problem is addressed with the framework itself and we
don't need to worry about it)
We did come across this filter that might be a solution:
getRequestCycleListeners().add(new
CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
Would adding this to our application resolve the above problem?
If there's any information you could provide as to how we can address it, we
would greatly appreciate it.
Thank you,
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
Personal: (518) 331-8758
Notice: This communication, including any attachments, is intended solely for
the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure under
State and/or Federal law. Please notify the sender immediately if you have
received this communication in error and delete this email from your system. If
you are not the intended recipient, you are requested not to disclose, copy,
distribute or take any action in reliance on the contents of this information.
