You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nadav Katz <na...@oracle.com> on 2011/09/04 06:54:23 UTC

CRLF Stripped in Tomcat Response Header

Hi All!

First, let me assure everyone that I am not a hacker, exactly the opposite, but I have a related problem. I am in the process of implementing code that protects against header manipulation. I created a filter that strips line feed and carriage return characters from requests to avoid header splitting. The thing is, I want to test it, and can't recreate the issue with Tomcat. 

When I insert this code in my jsp:

 

String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not found\r\n...";

response.setHeader("Set-Cookie", attack);  

 

The returned request is returned like this:

 

Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found  ...\r\n

 

As you can see all the CRLF have been replaced with whitespaces. I'm assuming Tomcat is doing this, but I can't find where, even after looking through the code and reading the documentation. Does anyone know anything about this? Is there any way to turn this off? I can't test my code when it's in place. Alternatively if anyone has any other solution as to how to test it, I would be most grateful.

Thanks!

Btw, I'm using Tomcat 6.0.32 

 

RE: CRLF Stripped in Tomcat Response Header

Posted by Nadav Katz <na...@oracle.com>.
Thank you very much for your input, you raised several points that hadn't occurred to me. I will redesign my original solution around them. Thanks also for this mailing list, it's a tremendous help.

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Sunday, September 04, 2011 3:10 PM
To: Tomcat Users List
Subject: Re: CRLF Stripped in Tomcat Response Header

On 04/09/2011 12:16, Nadav Katz wrote:
> Sorry Mark, I just noticed your input regarding the filter. I am
> really only worried about attackers tampering with request headers.
> The reason is that we may have (now or in the future) code that gets
> request headers and inserts them to the response.

OK.

> Since I know I
> never expect request headers to contain any illegal characters like
> the ones you are blocking, I believe I am safe enough stripping them
> from requests without even worrying about the authenticity of the
> header. If you think there is a flaw in my logic I would be very
> happy if you could elaborate, since I am new to the this world.

It is impossible for \r or \n to appear in a request header value since
those characters are used to signal the end of a header line.

> The
> specific code I posted was only for testing purposes. I was analyzing
> network traffic and kept seeing the line carriages dropped. My full
> intention was to create code that takes a header from the request and
> sets it in the response. Then I planned to send a request with said
> header manipulated with attack code (using an interceptor). Again,
> any input you might have would be welcome. Thanks Again, Nadav

I don't think the attack you are describing can possibly succeed.

Mark

> 
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: Sunday, September 04, 2011 12:58 PM 
> To: Tomcat Users List Subject: Re: CRLF Stripped in Tomcat Response
> Header
> 
> On 04/09/2011 05:54, Nadav Katz wrote:
>> Hi All!
>> 
>> First, let me assure everyone that I am not a hacker, exactly the 
>> opposite, but I have a related problem. I am in the process of 
>> implementing code that protects against header manipulation. I 
>> created a filter that strips line feed and carriage return
>> characters from requests to avoid header splitting.
> 
> Something doesn't add up here. Your filter is meant to be filtering 
> requests (one wonders how it differentiates between legitimate
> headers and injected ones) yet your code is trying to inject headers
> into the response. I assume that you mean "response" when you write
> "request".
> 
>> The thing is, I want to test it, and can't recreate the issue with
>> Tomcat.
>> 
>> When I insert this code in my jsp:
>> 
>> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not 
>> found\r\n...";
>> 
>> response.setHeader("Set-Cookie", attack);
>> 
>> The returned request is returned like this:
>> 
>> 
>> 
>> Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found 
>> ...\r\n
>> 
>> As you can see all the CRLF have been replaced with whitespaces.
>> I'm assuming Tomcat is doing this, but I can't find where, even
>> after looking through the code and reading the documentation.
> 
> 
> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
>
> 
Line 709 onwards.
> 
>> Does anyone know anything about this?
> 
> Clearly.
> 
>> Is there any way to turn this off?
> 
> There is no configuration option to disable this, nor will one ever
> be provided. You are, of course, free to modify the source code
> locally and re-build Tomcat.
> 
>> I can't test my code when it's in place. Alternatively if anyone
>> has any other solution as to how to test it, I would be most
>> grateful.
> 
> Are you sure this is even a problem that needs fixing? Which
> containers don't already provide this filtering?
> 
> Mark
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CRLF Stripped in Tomcat Response Header

Posted by Mark Thomas <ma...@apache.org>.
On 04/09/2011 12:16, Nadav Katz wrote:
> Sorry Mark, I just noticed your input regarding the filter. I am
> really only worried about attackers tampering with request headers.
> The reason is that we may have (now or in the future) code that gets
> request headers and inserts them to the response.

OK.

> Since I know I
> never expect request headers to contain any illegal characters like
> the ones you are blocking, I believe I am safe enough stripping them
> from requests without even worrying about the authenticity of the
> header. If you think there is a flaw in my logic I would be very
> happy if you could elaborate, since I am new to the this world.

It is impossible for \r or \n to appear in a request header value since
those characters are used to signal the end of a header line.

> The
> specific code I posted was only for testing purposes. I was analyzing
> network traffic and kept seeing the line carriages dropped. My full
> intention was to create code that takes a header from the request and
> sets it in the response. Then I planned to send a request with said
> header manipulated with attack code (using an interceptor). Again,
> any input you might have would be welcome. Thanks Again, Nadav

I don't think the attack you are describing can possibly succeed.

Mark

> 
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: Sunday, September 04, 2011 12:58 PM 
> To: Tomcat Users List Subject: Re: CRLF Stripped in Tomcat Response
> Header
> 
> On 04/09/2011 05:54, Nadav Katz wrote:
>> Hi All!
>> 
>> First, let me assure everyone that I am not a hacker, exactly the 
>> opposite, but I have a related problem. I am in the process of 
>> implementing code that protects against header manipulation. I 
>> created a filter that strips line feed and carriage return
>> characters from requests to avoid header splitting.
> 
> Something doesn't add up here. Your filter is meant to be filtering 
> requests (one wonders how it differentiates between legitimate
> headers and injected ones) yet your code is trying to inject headers
> into the response. I assume that you mean "response" when you write
> "request".
> 
>> The thing is, I want to test it, and can't recreate the issue with
>> Tomcat.
>> 
>> When I insert this code in my jsp:
>> 
>> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not 
>> found\r\n...";
>> 
>> response.setHeader("Set-Cookie", attack);
>> 
>> The returned request is returned like this:
>> 
>> 
>> 
>> Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found 
>> ...\r\n
>> 
>> As you can see all the CRLF have been replaced with whitespaces.
>> I'm assuming Tomcat is doing this, but I can't find where, even
>> after looking through the code and reading the documentation.
> 
> 
> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
>
> 
Line 709 onwards.
> 
>> Does anyone know anything about this?
> 
> Clearly.
> 
>> Is there any way to turn this off?
> 
> There is no configuration option to disable this, nor will one ever
> be provided. You are, of course, free to modify the source code
> locally and re-build Tomcat.
> 
>> I can't test my code when it's in place. Alternatively if anyone
>> has any other solution as to how to test it, I would be most
>> grateful.
> 
> Are you sure this is even a problem that needs fixing? Which
> containers don't already provide this filtering?
> 
> Mark
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: CRLF Stripped in Tomcat Response Header

Posted by Nadav Katz <na...@oracle.com>.
Sorry Mark, I just noticed your input regarding the filter. 
I am really only worried about attackers tampering with request headers. The reason is that we may have (now or in the future) code that gets request headers and inserts them to the response. Since I know I never expect request headers to contain any illegal characters like the ones you are blocking, I believe I am safe enough stripping them from requests without even worrying about the authenticity of the header. If you think there is a flaw in my logic I would be very happy if you could elaborate, since I am new to the this world.
The specific code I posted was only for testing purposes. I was analyzing network traffic and kept seeing the line carriages dropped. My full intention was to create code that takes a header from the request and sets it in the response. Then I planned to send a request with said header manipulated with attack code (using an interceptor). Again, any input you might have would be welcome. 
Thanks Again,
Nadav 

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Sunday, September 04, 2011 12:58 PM
To: Tomcat Users List
Subject: Re: CRLF Stripped in Tomcat Response Header

On 04/09/2011 05:54, Nadav Katz wrote:
> Hi All!
> 
> First, let me assure everyone that I am not a hacker, exactly the
> opposite, but I have a related problem. I am in the process of
> implementing code that protects against header manipulation. I
> created a filter that strips line feed and carriage return characters
> from requests to avoid header splitting.

Something doesn't add up here. Your filter is meant to be filtering
requests (one wonders how it differentiates between legitimate headers
and injected ones) yet your code is trying to inject headers into the
response. I assume that you mean "response" when you write "request".

> The thing is, I want to test
> it, and can't recreate the issue with Tomcat.
> 
> When I insert this code in my jsp:
> 
> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not
> found\r\n...";
> 
> response.setHeader("Set-Cookie", attack);
> 
> The returned request is returned like this:
> 
> 
> 
> Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found
> ...\r\n
> 
> As you can see all the CRLF have been replaced with whitespaces. I'm
> assuming Tomcat is doing this, but I can't find where, even after
> looking through the code and reading the documentation.


http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
Line 709 onwards.

> Does anyone know anything about this?

Clearly.

> Is there any way to turn this off?

There is no configuration option to disable this, nor will one ever be
provided. You are, of course, free to modify the source code locally and
re-build Tomcat.

> I can't test my code when it's in place. Alternatively if anyone has any
> other solution as to how to test it, I would be most grateful.

Are you sure this is even a problem that needs fixing? Which containers
don't already provide this filtering?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: CRLF Stripped in Tomcat Response Header

Posted by Nadav Katz <na...@oracle.com>.
Thanks a lot for the reply Mark. I agree with you that it probably exists in most (if not all) containers, but we (I..) are forced to provide our own implementation as well. Thanks again for your help! 

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Sunday, September 04, 2011 12:58 PM
To: Tomcat Users List
Subject: Re: CRLF Stripped in Tomcat Response Header

On 04/09/2011 05:54, Nadav Katz wrote:
> Hi All!
> 
> First, let me assure everyone that I am not a hacker, exactly the
> opposite, but I have a related problem. I am in the process of
> implementing code that protects against header manipulation. I
> created a filter that strips line feed and carriage return characters
> from requests to avoid header splitting.

Something doesn't add up here. Your filter is meant to be filtering
requests (one wonders how it differentiates between legitimate headers
and injected ones) yet your code is trying to inject headers into the
response. I assume that you mean "response" when you write "request".

> The thing is, I want to test
> it, and can't recreate the issue with Tomcat.
> 
> When I insert this code in my jsp:
> 
> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not
> found\r\n...";
> 
> response.setHeader("Set-Cookie", attack);
> 
> The returned request is returned like this:
> 
> 
> 
> Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found
> ...\r\n
> 
> As you can see all the CRLF have been replaced with whitespaces. I'm
> assuming Tomcat is doing this, but I can't find where, even after
> looking through the code and reading the documentation.


http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
Line 709 onwards.

> Does anyone know anything about this?

Clearly.

> Is there any way to turn this off?

There is no configuration option to disable this, nor will one ever be
provided. You are, of course, free to modify the source code locally and
re-build Tomcat.

> I can't test my code when it's in place. Alternatively if anyone has any
> other solution as to how to test it, I would be most grateful.

Are you sure this is even a problem that needs fixing? Which containers
don't already provide this filtering?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CRLF Stripped in Tomcat Response Header

Posted by Mark Thomas <ma...@apache.org>.
On 04/09/2011 05:54, Nadav Katz wrote:
> Hi All!
> 
> First, let me assure everyone that I am not a hacker, exactly the
> opposite, but I have a related problem. I am in the process of
> implementing code that protects against header manipulation. I
> created a filter that strips line feed and carriage return characters
> from requests to avoid header splitting.

Something doesn't add up here. Your filter is meant to be filtering
requests (one wonders how it differentiates between legitimate headers
and injected ones) yet your code is trying to inject headers into the
response. I assume that you mean "response" when you write "request".

> The thing is, I want to test
> it, and can't recreate the issue with Tomcat.
> 
> When I insert this code in my jsp:
> 
> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not
> found\r\n...";
> 
> response.setHeader("Set-Cookie", attack);
> 
> The returned request is returned like this:
> 
> 
> 
> Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found
> ...\r\n
> 
> As you can see all the CRLF have been replaced with whitespaces. I'm
> assuming Tomcat is doing this, but I can't find where, even after
> looking through the code and reading the documentation.


http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
Line 709 onwards.

> Does anyone know anything about this?

Clearly.

> Is there any way to turn this off?

There is no configuration option to disable this, nor will one ever be
provided. You are, of course, free to modify the source code locally and
re-build Tomcat.

> I can't test my code when it's in place. Alternatively if anyone has any
> other solution as to how to test it, I would be most grateful.

Are you sure this is even a problem that needs fixing? Which containers
don't already provide this filtering?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org