Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
From: "Cai, Charles [COMRES/RTC/RTC]" <Charles.Cai@Emerson.com>
To: Tomcat Users List <users@tomcat.apache.org>
CC: "aw@ice-sa.com" <aw@ice-sa.com>
Subject: RE: Question about Tomcat Virtual Host to prevent
 Improper-Input-Handling attack
Thread-Topic: Question about Tomcat Virtual Host to prevent
 Improper-Input-Handling attack
Thread-Index: AdLTKbixfcg3P//USnawag135w210QABpOoAACUmJqA=
Date: Tue, 23 May 2017 13:05:15 +0000
Message-ID: <BLUPR10MB0417DEBC14F55B2E936EFDEBFFF90@BLUPR10MB0417.namprd10.prod.outlook.com>
References: <BLUPR10MB0417B6C26AC69F65F30431B0FFF80@BLUPR10MB0417.namprd10.prod.outlook.com>
 <592339B2.4090202@ice-sa.com>
In-Reply-To: <592339B2.4090202@ice-sa.com>
Accept-Language: en-US
Content-Language: en-US
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2017 13:05:15.7923
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: eb06985d-06ca-4a17-81da-629ab99f6505
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR10MB0420
archived-at: Tue, 23 May 2017 13:06:15 -0000


Charles Cai | T +1 440 329 4888

-----Original Message-----
From: Andr=E9 Warnier (tomcat) [mailto:aw@ice-sa.com]=20
Sent: Monday, May 22, 2017 3:19 PM
To: users@tomcat.apache.org
Subject: Re: Question about Tomcat Virtual Host to prevent Improper-Input-H=
andling attack

On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:
> Hi there,
>
> ______________________________________________________________________
> __________
> Server Specs:
> Server version: Apache Tomcat/7.0.54
> Server built:   May 19 2014 10:26:15
> Server number:  7.0.54.0
> OS Name:        Windows Server 2012
> OS Version:     6.2
> Architecture:   amd64
> JVM Version:    1.8.0_121-b13
> JVM Vendor:     Oracle Corporation
> ______________________________________________________________________
> __________
>
> I'm currently on the process of trying fix a site vulnerability, basicall=
y it is one type of the "Improper Input Handling" attack.
>
> Let's say my website is www.mywebsite.com and there is hacker's=20
> website www.hacker.com
>
> whenever there is a request send to www.mywebsite.com with modified "Host=
" header point to www.hacker.com, my site will create a redirect to www.myw=
ebsite.com along with whatever the url it was. e.g.
>
> Normal:
> Host: www.mywebsite.com
> GET  www.mywebsite.com/get/some/resources/
> Response 200 ok
>
> Hack:
> Host: www.hacker.com (#been manually modified) GET =20
> www.mywebsite.com/get/some/resources/
> Response 302
> Send another Redirect to www.hacker.com/get/some/resources My website=20
> is running on Tomcat 7, I tried some solution with set up the virtual hos=
t by point the unknown host to a defaultlocalhost which supposed to do noth=
ing. but it still send the redirect for some reason.
>
> Here attached is my server.xml host configure:
> ______________________________________________________________________
> __________ <Engine name=3D"Catalina" defaultHost=3D"defaultlocalhost"=20
> jvmRoute=3D"jvm1"> <Host name=3D"www.mywebsite.com"  appBase=3D"webapps"
>          unpackWARs=3D"true" autoDeploy=3D"false" deployOnStartup=3D"true=
">
>
>      <Valve className=3D"org.apache.catalina.valves.AccessLogValve" direc=
tory=3D"logs"
>             prefix=3D"localhost_access_log." suffix=3D".txt"
>             pattern=3D"%h %l %u %t &quot;%r&quot; %s %b" />
>    </Host>
>
>    <Host name=3D"defaultlocalhost"  >
>    </Host>
> ______________________________________________________________________
> __________ So, my question is, Am I on the right track to prevent this=20
> kind of attack ? If yes, what I did wrong that still not working? (The=20
> ultimate goal is, if it is not the legit Host that been passed in, the=20
> request should be discard/ignored/return 404 but not redirect with=20
> 302)
>

Hi.
The first thing is, as far as I know, Tomcat *by itself* will not generate =
this redirect response.
But an application deployed inside Tomcat might do that, perhaps.

With the above configuration, this is what happens :

 > <Engine name=3D"Catalina" defaultHost=3D"defaultlocalhost" jvmRoute=3D"j=
vm1">

 >    <Host name=3D"defaultlocalhost"  >
 >    </Host>

1) Any request coming in to your server, which has a Host: HTTP header whic=
h is not "recognised" by Tomcat, will be processed by this "defaultlocalhos=
t" virtual Host.
See :  http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attribute=
s

2) this default virtual Host, as defined above, has an appBase=3D"webapps",=
 just like the other Host which you defined.
That is because "webapps" is the *default* value for this attribute, and yo=
u did not specify it otherwise in your "defaultlocalhost".
See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

3) thus, if your normal application corresponding to the URI get/some/resou=
rces/) is deployed under (tomcat_dir)/webapps, then your application will b=
e called when anyone sends the following HTTP request to your server :

GET get/some/resources/ HTTP/1.1
Host: evil.hackers.com (or whatever is not "www.mywebsite.com")

What your application then does with this call, is up to your application.
If it is some kind of framework, it might very well decide to return a redi=
rect response.
But that is not tomcat code.

If you want to protect against this, then you should provide your "defaultl=
ocalhost" with a real appBase, different from the standard "webapps", and m=
aybe put a default application there which returns a lit cluster bomb to th=
e evil hacker.
(or more reasonably, a "not found" response; which tomcat will do by itself=
 if there is nothing there that matches the request URI).

Note that in addition, with your above configuration, there should be warni=
ngs in the tomcat logfile, because your application will be deployed twice =
: once for the "defaultlocalhost" Host, and once for the "www.mywebsite.com=
" Host.


> Thank you in advance.
>
> More references about the attack here :
> http://www.skeletonscribe.net/2013/05/practical-http-host-header-attac
> ks.html=20
> http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handl
> ing
>
> Original Post on stackoverflow: =20
> https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-pr
> event-improper-input-handling-attack
>
> Charles Cai | Web Application Developer | RIDGID Emerson Commercial &=20
> Residential Solutions | Charles.Cai@emerson.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

That is , this is the issue, after I point the defaultlocalhost to a non-ex=
isting webapp directory, it returned 404 instead of issue another redirect =
with 302. Thank you very much. =20

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org