You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by "Jonathan P. Babie" <jb...@osc.ny.gov.INVALID> on 2022/11/08 02:38:38 UTC
Host Header Injection Solution
Hello,
Our Wicket web application went through an app scan. We understand most problems that came back from the report and have solutions, but one that's troubling us is:
[cid:f744744c-2d7a-4cd8-9179-ef02d9dc6ea4]
I've omitted our URLs, but essentially it seems they were able to manipulate the hostname to a different url.
Unfortunately we weren't given much context aside from this report.
We assume that there are three avenues for us to resolve this:
1. Wicket configuration
2. Server configuration
3. Non-issue (if this problem is addressed with the framework itself and we don't need to worry about it)
We did come across this filter that might be a solution:
getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
Would adding this to our application resolve the above problem?
If there's any information you could provide as to how we can address it, we would greatly appreciate it.
Thank you,
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
Personal: (518) 331-8758
Notice: This communication, including any attachments, is intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient, you are requested not to disclose, copy, distribute or take any action in reliance on the contents of this information.
Re: Host Header Injection Solution
Posted by "Jonathan P. Babie" <jb...@osc.ny.gov.INVALID>.
I apologize, it looks like the screenshot I provided didn't come through, here are the details describing the problem:
Host Header Injection
Severity: Low
CVSS Score: 5.0
URL: https://example.domain.com/lgmm
Entity: lgmm (Page)
Risk: It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.
It is possible to deface the site content through web-cache poisoning Cause: Lack of input validation and sanitization Fix: Construct HTTP headers very carefully, avoiding the use of non-validated/unsanitized input data Difference: Header Host manipulated from: https://example.domain.com/lgmm to: appscanheaderinjection.com
Reasoning: The value AppScan injected seems to be included in the response.
Test Requests and Responses:
GET /lgmm HTTP/1.1
Host: appscanheaderinjection.com
Connection: keep-alive
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://example.domain.com/lgmm
Accept-Language: en-US
Cookie: _ga=GA1.3.1391786996.1665688780; _gid=GA1.3.367705640.1666623649; WASJSESSIONID=0000A4ALFyhmv7lv15hiAc5MRjO:1clm7f9nj; _gat=1;
LtpaToken2=4cbGpnckNcEuOVjnLrtO77dS96v5jomlaNb0QiVW9K9Elp4dZUMwJ9l3ZdUxee6J5WnM1IJX+qfnqBA4Fw6vz753dxnxDb2uvdfb/utmXpiT8O0zVFS4rPCPviz3+NzaeEHYigRKdrCJcgFS8b7IFpklrPbq4byZUS9+Fojo7lqCoWuTzS4YCleCWrH1417WL83blA/CIcJQx9qRJ4PtPN/hK5gJuXY1IN6uRNvKbDKLtpEftuHEu4ldcDP9DrGBfLJS8CZ+Y3WIWxfyG78awGj7pM2c76rqkUxd/jYfFJJA4ja0M4tOh6tkOPqimE1wvSzirmFMcEEDP+Dd9yYfUp2j+ZE1wXysfWZbF9nUotTXqFl28ICw6FurFHSvVgV8nmliIp7LJt7PFG4HPp1Rdk3W5vR921uP3GjMAfkfwpwhzkqV5o8cZCBvJ3th6iTA9ClrZ/VCauBQi9MMmlENrJpkejh+jyQaE8HpuH1AvCBa6hOOyKoaumQpNncQqGQ7DcNHa47seKXzpXJeEJ66nNHmLuSWP1Cpap07p0FUGTFLK68Qp4BoqeoZJQke3BrzwHV9kAXhDEuDxigHJdz/iG9kLExE38SQfljvm0qAGGyzRH4LNpokc+JKVii/bCyI1mCzq+1bEXUMjt7KiXHCgH4v7AdL0Sdajkc9KQb5RLo=
HTTP/1.1 302 Found
Date: Fri, 28 Oct 2022 01:06:10 GMT
X-Powered-By: Servlet/3.1
Location: https://appscanheaderinjection.com/lgmm/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
________________________________
From: Jonathan P. Babie
Sent: Monday, November 7, 2022 9:38 PM
To: users@wicket.apache.org <us...@wicket.apache.org>
Subject: Host Header Injection Solution
Hello,
Our Wicket web application went through an app scan. We understand most problems that came back from the report and have solutions, but one that's troubling us is:
[cid:f744744c-2d7a-4cd8-9179-ef02d9dc6ea4]
I've omitted our URLs, but essentially it seems they were able to manipulate the hostname to a different url.
Unfortunately we weren't given much context aside from this report.
We assume that there are three avenues for us to resolve this:
1. Wicket configuration
2. Server configuration
3. Non-issue (if this problem is addressed with the framework itself and we don't need to worry about it)
We did come across this filter that might be a solution:
getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
Would adding this to our application resolve the above problem?
If there's any information you could provide as to how we can address it, we would greatly appreciate it.
Thank you,
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
Personal: (518) 331-8758
Notice: This communication, including any attachments, is intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient, you are requested not to disclose, copy, distribute or take any action in reliance on the contents of this information.
Re: Host Header Injection Solution
Posted by "Jonathan P. Babie" <jb...@osc.ny.gov.INVALID>.
Hi Martin,
Thank you very much, we'll go that route!
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
________________________________
From: Martin Grigorov <mg...@apache.org>
Sent: Tuesday, November 8, 2022 3:18 AM
To: users@wicket.apache.org <us...@wicket.apache.org>
Subject: Re: Host Header Injection Solution
Hi Jonathan,
On Tue, Nov 8, 2022 at 4:39 AM Jonathan P. Babie <jb...@osc.ny.gov.invalid>
wrote:
> Hello,
>
> Our Wicket web application went through an app scan. We understand most
> problems that came back from the report and have solutions, but one that's
> troubling us is:
>
>
> I've omitted our URLs, but essentially it seems they were able to
> manipulate the hostname to a different url.
>
> Unfortunately we weren't given much context aside from this report.
>
> We assume that there are three avenues for us to resolve this:
>
> 1. Wicket configuration
> 2. Server configuration
> 3. Non-issue (if this problem is addressed with the framework itself
> and we don't need to worry about it)
>
> We did come across this filter that might be a solution:
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
>
> Would adding this to our application resolve the above problem?
>
Yes!
This should be the solution!
>
> If there's any information you could provide as to how we can address it,
> we would greatly appreciate it.
>
> Thank you,
>
> Jonathan Babie
>
> Java Applications Developer
>
> Work: (838) 910-4274
>
> Personal: (518) 331-8758
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if you
> have received this communication in error and delete this email from your
> system. If you are not the intended recipient, you are requested not to
> disclose, copy, distribute or take any action in reliance on the contents
> of this information.
>
Notice: This communication, including any attachments, is intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient, you are requested not to disclose, copy, distribute or take any action in reliance on the contents of this information.
Re: Host Header Injection Solution
Posted by Martin Grigorov <mg...@apache.org>.
Hi Jonathan,
On Tue, Nov 8, 2022 at 4:39 AM Jonathan P. Babie <jb...@osc.ny.gov.invalid>
wrote:
> Hello,
>
> Our Wicket web application went through an app scan. We understand most
> problems that came back from the report and have solutions, but one that's
> troubling us is:
>
>
> I've omitted our URLs, but essentially it seems they were able to
> manipulate the hostname to a different url.
>
> Unfortunately we weren't given much context aside from this report.
>
> We assume that there are three avenues for us to resolve this:
>
> 1. Wicket configuration
> 2. Server configuration
> 3. Non-issue (if this problem is addressed with the framework itself
> and we don't need to worry about it)
>
> We did come across this filter that might be a solution:
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
>
> Would adding this to our application resolve the above problem?
>
Yes!
This should be the solution!
>
> If there's any information you could provide as to how we can address it,
> we would greatly appreciate it.
>
> Thank you,
>
> Jonathan Babie
>
> Java Applications Developer
>
> Work: (838) 910-4274
>
> Personal: (518) 331-8758
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if you
> have received this communication in error and delete this email from your
> system. If you are not the intended recipient, you are requested not to
> disclose, copy, distribute or take any action in reliance on the contents
> of this information.
>