Hi Chris, Take any web application try below curl command , this curl command sends invalid Host Header application should validate by comparing with valid bost headers and block this request by returning 404 /403.
curl -isk -H "host:host.whitehatsec.com" " https://staging.avoxdata.com/portal/ticket/list?offset=10&host_header=host Currently it returns 302 basically redirecting invalid host which is not right. I found this link , solution recommended by Tomcat team "Andre". https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack/69130997#69130997 Let me know what you think. Regards, Pradeep On Mon, 13 Sep 2021, 2:44 pm Christopher Schultz, < ch...@christopherschultz.net> wrote: > Pradeep, > > On 9/13/21 09:35, Pradeep wrote: > > Hi Chris, > > > > I am using Tomcat 7.0.57, I can't change the Tomcat version now. I tried > > adding Virtual Host with RemotrHostValve to allow list of hosts but still > > no luck. > > > > <Host name="defaultlocalhost" appbase="whatever"> > > <Valve className="....RemoteHostValve" > > allow="*.\myapplication\.com"> > > This is because you are trying to block the client by their identity > (like "localhost" if you are working locally). It has nothing whatsoever > to do with the Host header, the hostname of the server, or anything > else. RemoteAddrValve and RemoteHostValve are completely irrelevant for > what you are trying to do. > > Can you give me specific instructions for how to reproduce this "attack">? > > -chris > > > On Mon, 13 Sep 2021, 2:28 pm Christopher Schultz, < > > ch...@christopherschultz.net> wrote: > > > >> Pradeep, > >> > >> On 9/10/21 17:38, Pradeep wrote: > >>> My application is HTTPS not HTTP and now one of the application > security > >>> platforms WhitHatSec raised this vulnerability issue. > >> > >> I tried to reproduce your "attack" on Tomcat 8.5.59, like this: > >> > >> $ cat forge > >> GET www.microsoft.com/ HTTP/1.1 > >> Host: www.microsoft.com > >> > >> > >> $ od -t x1 -a forge > >> 0000000 47 45 54 20 77 77 77 2e 6d 69 63 72 6f 73 6f > 66 > >> G E T sp w w w . m i c r o s o > f > >> 0000020 74 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31 > 0d > >> t . c o m / sp H T T P / 1 . 1 > cr > >> 0000040 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 69 63 72 > 6f > >> nl H o s t : sp w w w . m i c r > o > >> 0000060 73 6f 66 74 2e 63 6f 6d 0d 0a 0d 0a > >> s o f t . c o m cr nl cr nl > >> > >> $ nc tomcat 8080 < forge > >> HTTP/1.1 400 > >> Content-Type: text/html;charset=utf-8 > >> Content-Language: en > >> Content-Length: 795 > >> Date: Mon, 13 Sep 2021 13:22:51 GMT > >> Connection: close > >> > >> <!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad > >> Request</title><style type="text/css">body > >> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > >> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > >> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a > >> {color:black;} .line > >> > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > >> > >> Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Status > >> Report</p><p><b>Message</b> Invalid URI</p><p><b>Description</b> The > >> server cannot or will not process the request due to something that is > >> perceived to be a client error (e.g., malformed request syntax, invalid > >> request message framing, or deceptive request routing).</p><hr > >> class="line" /><h3> > >> > >> Changing the "www.microsoft.com" to "http://www.microsoft.com" returns > >> this: > >> > >> HTTP/1.1 404 > >> Content-Type: text/html;charset=utf-8 > >> Content-Language: en > >> Content-Length: 751 > >> Date: Mon, 13 Sep 2021 13:25:22 GMT > >> > >> <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not > >> Found</title><style type="text/css">body > >> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > >> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > >> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a > >> {color:black;} .line > >> > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > >> > >> Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status > >> Report</p><p><b>Message</b> The requested resource [/] is not > >> available</p><p><b>Description</b> The origin server did not find a > >> current representation for the target resource or is not willing to > >> disclose that one exists.</p><hr class="line" /><h3>Apache > >> Tomcat/8.5.59</h3></body></html> > >> > >> Removing the "www.microsoft.com" from the request-line returns this: > >> > >> HTTP/1.1 404 > >> Content-Type: text/html;charset=utf-8 > >> Content-Language: en > >> Content-Length: 751 > >> Date: Mon, 13 Sep 2021 13:24:34 GMT > >> > >> <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not > >> Found</title><style type="text/css">body > >> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > >> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > >> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a > >> {color:black;} .line > >> > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > >> > >> Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status > >> Report</p><p><b>Message</b> The requested resource [/] is not > >> available</p><p><b>Description</b> The origin server did not find a > >> current representation for the target resource or is not willing to > >> disclose that one exists.</p><hr class="line" /><h3>Apache > >> Tomcat/8.5.59</h3></body></html> > >> > >> Please show me what (exact) steps are required to reproduce this issue. > >> Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well > >> as your Tomcat 7.0.x version. > >> > >>> I tried the above configuration mentioned but no luck but this > >>> configuration advised in Apache website > >>> > http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters > >> > to filter Host Header. I understand this is trivial but I have to > fix > >>> and I think I should handle it in the application server Tomcat7. > >> You can't filter-out the Host header. Well, not effectively. > >> > >>> I tried the below configuration but still validation is not working, > >>> it's still redirecting other Host Headers. Please let me know what > >>> else configuration I can try > > >> > <Host name="defaultlocalhost" appbase="whatever"> > >> > <Valve > >> > className="org.apache.catalina.valves.RemoteAddrValve" > >> > allow=".*\.myapplication1\.com|.*\myapplication2\.com"/> > >> > </Host> > >> > >> You misunderstand the purpose of the RemoteAddrValve[1]. > >> > >> The valve enforces client identity, not the host the client is trying to > >> access. It also works on IP addresses, not hostnames. I'm surprised you > >> were able to access anything at all. > >> > >> -chris > >> > >> [1] > >> > >> > http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve > >> > >>> On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz < > >>> ch...@christopherschultz.net> wrote: > >>> > >>>> Pradeep, > >>>> > >>>> On 9/10/21 06:19, Pradeep wrote: > >>>>> Hi Team, > >>>>> > >>>>> I need your help to fix HTTP Host header attacks. > >>>>> I'm currently in the process of trying to fix a site vulnerability, > >>>>> basically it is one type of the "Improper Input Handling" attack. > >>>>> > >>>>> Let's say my website is www.mywebsite.com and there is hacker's > >> website > >>>>> www.hacker.com > >>>>> Whenever there is a request send to www.mywebsite.com with modified > >>>> "Host" > >>>>> header point to www.hacker.com, my site will create a redirect to > >>>>> www.mywebsite.com along with whatever the url it was. e.g. > >>>>> > >>>>> > >>>>> *Normal:* > >>>>> Host: www.mywebsite.com > >>>>> GET www.mywebsite.com/get/some/resources/ > >>>>> Reponse 200 ok > >>>>> > >>>>> > >>>>> *Hack:*Host: www.hacker.com (#been manually modified) > >>>>> GET www.mywebsite.com/get/some/resources/ > >>>>> Response 302 > >>>>> Send another Redirect to www.hacker.com/get/some/resources > >>>>> > >>>>> I have found this configuration below for tomcat (my application > using > >>>>> Tomcat7) is this works for case? Also I have some existing Host name > in > >>>>> server.xml not sure how to incorporate both Host configuration, > please > >>>> help > >>>>> me on this. > >>>>> > >>>>> *Solution I found :* > >>>>> > >>>>> <Host name="defaultlocalhost" appbase="whatever" > > >>>>> </Host> > >>>>> > >>>>> *My tomcat existing Host configuration:* > >>>>> <Host name="localhost" appBase="webapps" > >>>>> unpackWARs="true" autoDeploy="true"> > >>>> > >>>> I'm not sure why the above configuration would change anything. Can > you > >>>> explain? > >>>> > >>>> Please note that the "attacker" in this situation can only attack > >>>> himself. Injecting/modifying a header into an HTTP request can only be > >>>> done if the attacker is in a MitM position, which should not be > possible > >>>> when using HTTPS. If using HTTP, then you are on your own and this > >>>> attack is trivial. > >>>> > >>>> Assuming there is no MitM, it is challenging to cause another client > to > >>>> use a header of the attacker's choosing. > >>>> > >>>> Unless this is simply an academic question. > >>>> > >>>> I always use Tomcat configured with a "default" <Host>, but I suspect > >>>> there may be a way to force Tomcat to treat a request as invalid if > the > >>>> Host header doesn't match the name (or alias) of any <Host> > configured. > >>>> > >>>> -chris > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>> > >>>> > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >