Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

Cai, Charles [COMRES/RTC/RTC] Mon, 22 May 2017 11:36:06 -0700

Hi there, 

________________________________________________________________________________
Server Specs:
Server version: Apache Tomcat/7.0.54
Server built:   May 19 2014 10:26:15
Server number:  7.0.54.0
OS Name:        Windows Server 2012
OS Version:     6.2
Architecture:   amd64
JVM Version:    1.8.0_121-b13
JVM Vendor:     Oracle Corporation
________________________________________________________________________________


I'm currently on the process of trying fix a site vulnerability, basically it 
is one type of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website 
www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" 
header point to www.hacker.com, my site will create a redirect to 
www.mywebsite.com along with whatever the url it was. e.g.

Normal:
Host: www.mywebsite.com 
GET  www.mywebsite.com/get/some/resources/
Response 200 ok

Hack:
Host: www.hacker.com (#been manually modified) 
GET  www.mywebsite.com/get/some/resources/
Response 302 
Send another Redirect to www.hacker.com/get/some/resources 
My website is running on Tomcat 7, I tried some solution with set up the 
virtual host by point the unknown host to a defaultlocalhost which supposed to 
do nothing. but it still send the redirect for some reason.

Here attached is my server.xml host configure:
________________________________________________________________________________
<Engine name="Catalina" defaultHost="defaultlocalhost" jvmRoute="jvm1">  
<Host name="www.mywebsite.com"  appBase="webapps"
        unpackWARs="true" autoDeploy="false" deployOnStartup="true">

    <Valve className="org.apache.catalina.valves.AccessLogValve" 
directory="logs"
           prefix="localhost_access_log." suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />
  </Host>

  <Host name="defaultlocalhost"  >
  </Host>
________________________________________________________________________________
So, my question is, Am I on the right track to prevent this kind of attack ? If 
yes, what I did wrong that still not working? (The ultimate goal is, if it is 
not the legit Host that been passed in, the request should be 
discard/ignored/return 404 but not redirect with 302)

Thank you in advance.

More references about the attack here : 
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html 
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling 

Original Post on stackoverflow:  
https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack
 

Charles Cai | Web Application Developer | RIDGID
Emerson Commercial & Residential Solutions |
charles....@emerson.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

Reply via email to