8 Replies Latest reply on Jan 10, 2019 8:53 AM by alessiodeangelis

Ignoring the Host Header Value and Use configured host name in responses.

alexj567 Nov 29, 2017 5:30 PM

I don't administer the Jboss/Wildfly deployment, but am looking to help the team out in fixing the issue. As of yet we have been coming up empty. Here is a simplistic sanitized example of the issue.

Curl -v https://localhost:8443/webapp -H “Host: evil.com”

Returns

GET /webapp HTTP/1.1

Host: evil.com

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Cookie: JSESSIONID=RandomString; user=userName; locale=en-US

Connection: close

Upgrade-Insecure-Requests: 1

HTTP/1.1 302 Moved Temporarily

Server: Apache-Coyote/1.1

Location: https://evil.com/webapp/

Date: Thu, 19 Oct 2017 22:01:37 GMT

Connection: close

Basically we are looking for a way to make the location during redirects remain https://localhost:8443/<uri>

1. Re: Ignoring the Host Header Value and Use configured host name in responses.

dlofthouse Nov 30, 2017 4:55 AM (in response to alexj567)
How is an invalid host header getting set on the incoming request?

This header is set by the browser to confirm the host name and port combination it is using to communicate with the server (which often the server is not even aware of) - I see two scenarios that could lead to a spoofed header: -

A hacked web browser.
An intermediary in the call modifying the headers.

The integrity of the client is very important, there are some places such as in relation to cross original resource sharing that both the client side and the server side of the connection need to work together to handle the required checks safely. But also in that scenario it would be saying the client is deliberately asking to be redirected to evil.com.

The second scenario was an intermediary, if an intermediary was able to modify the request message then it is likely they would also be able to modify the response message and so the client could still be redirected to evil.com.
Actions
2. Re: Ignoring the Host Header Value and Use configured host name in responses.

ctomc Nov 30, 2017 10:53 AM (in response to alexj567)

so you basicly don't want "webapp" part of the request uri in your url?

you could just bind your application to / context.
you can do that by renaming the war to ROOT.war
or by adding jboss-web.xml with <context-root>/</context-root> to WEB-INF folder
Actions
3. Re: Ignoring the Host Header Value and Use configured host name in responses.

alexj567 Nov 30, 2017 2:19 PM (in response to dlofthouse)

https://www.owasp.org/index.php/Cache_Poisoning
Skeleton Scribe: Practical HTTP Host header attacks
I understand what you are stating, but we are more concerned with what the application does with the host header value. We recommend to our teams that they don't trust that value and to get it from the environment, but when this issue comes up in a report it must be resolved due to the policies we have in place. This was found in whitebox testing using a curl command similar to the one I posted.
Actions
4. Re: Ignoring the Host Header Value and Use configured host name in responses.

alexj567 Dec 1, 2017 11:28 AM (in response to ctomc)

Sorry I wasn't clear. I want the uri part. I just don't want localhost:8443 changed to evil.com in the response. I was trying to be general in the result of any request.
Actions
5. Re: Ignoring the Host Header Value and Use configured host name in responses.

jaikiran Dec 6, 2017 11:55 PM (in response to alexj567)

I checked the HTTP 1.1 spec and it does look like the current behaviour that you are noticing is probably not right. The Host header usage/expecations is spread across multiple sections[1] [2] [3] of the RFC. In context of what you are noting here, the important section from that spec appears to be this[1] which states:

If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored.

So it looks like Undertow isn't ignoring the header field in this case. swd847 might know whether this is expected or is a bug.

[1] RFC 2068 - Hypertext Transfer Protocol -- HTTP/1.1
[2] RFC 2068 - Hypertext Transfer Protocol -- HTTP/1.1
[3] RFC 2068 - Hypertext Transfer Protocol -- HTTP/1.1
Actions
6. Re: Ignoring the Host Header Value and Use configured host name in responses.

swd847 Dec 7, 2017 4:31 PM (in response to jaikiran)

If you want to do this then just setup two virtual hosts, a default one that is empty (i.e. will return 404), and a virtual host for 'localhost' that has your applications deployed. Any request with a bogus host header will end up being handled by the empty virtual host.

There is nothing we can do about this without explicit configuration (i.e. we can't guard against this in the default config, as we don't know which hosts are allowed). We could remove the default virtual host from standalone.xml and just have a host for localhost by default, but that means to use Wildfly in production you need to make configuration changes, and is very user unfriendly.
Actions
7. Re: Ignoring the Host Header Value and Use configured host name in responses.

santosh66508 Jun 21, 2018 5:30 AM (in response to swd847)

Hi Start,

Would this solutino handle Host Header Attack as explained below?

Explanation:

my jboss web server does't have domain,only use IP to access
there is a web/common directory
when access the web server use:
curl -i -H "Host: www.google.com " "http://127.0.0.1:8080/web/common/"
it goto 404 web error page
when use:
curl -i -H "Host: www.google.com " "http://127.0.0.1:8080/web/common"
return：
HTTP/1.1 302 Moved Temporarily
Location: http://www.google.com/web/common/
Transfer-Encoding: chunked
Date: Wed, 23 May 2018 14:17:46 GMT
Server: VPS
how to config jboss to prevent Location redirect
http://127.0.0.1:8080/web/common to http://www.google.com/web/common/''

Many Thanks.
Actions
8. Re: Ignoring the Host Header Value and Use configured host name in responses.

alessiodeangelis Jan 10, 2019 8:53 AM (in response to alexj567)
Hi guys,
I know that this thread is not recent but I was struggling with your similar issue and I havent't found any solution to solve it online yet. I would like to spend few words on the way how I prevented host header injection attacks in wildfly, accepting only the requests with the right host header.

I created an undertow filter as shown in this guide https://kb.novaordis.com/index.php/Configuring_a_Custom_Undertow_Filter_in_WildFly
The filter should check the request host header. If the host header is not in the whitelist set a 400 status code, otherwise go ahead to the next httpHandler.
You may write something similar to the following snippet

@Override public void handleRequest(HttpServerExchange exchange) throws Exception { HeaderValues hostHeader = requestHeaders.get("host"); String host = hostHeader.getFirst(); if ( whitelistHosts.contains(host)) { next.handleRequest(exchange); } else { exchange.setStatusCode(400); } }

Hope this helps.
Best,
Alessio
Actions

Go to original post