WebSphere Application Server & Liberty

 View Only
Expand all | Collapse all

configuring WebSphere Liberty to prevent host header injection?

  • 1.  configuring WebSphere Liberty to prevent host header injection?

    Posted Tue September 05, 2023 12:55 PM

    Hello,

    We have run a penetration test using HCL AppScan against an application running on WebSphere Liberty 23.0.0.5 which identified a risk of Host Header Injection with wording such as

    Risk: It is possible to deface the site content through web-cache poisoning
    It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social
    security number etc.Cause: Lack of input validation and sanitization
    Fix: Construct HTTP headers very carefully, avoiding the use of non-validated/unsanitized input data

    I am told by some colleagues that this was resolved in Wildfly via the use of filters such as

    <filter-ref name="host-checker"/>

        <filters>         <expression-filter name="host-checker" expression="not(equals(%{i,HOST}, validhost)) -> response-code(403)"/>     </filters>

    is there any equivalent setting that can be applied to the server.xml of WebSphere Liberty? I found this article https://openliberty.io/docs/latest/forwarded-header.html but I could not find any clear examples with example urls or regexp - just this generic example :-

    <remoteIp proxies="<regular_expression>" useRemoteIpInAccessLog="<true/false>"/>

    Is this the right setting and if so can anybody please suggest how this can be used to achieve the desired result or if there are other ways to satisfy this penetration test (and prevent genuine threats of this type)

    Thanks

    Rod



    ------------------------------
    Rod Allen
    ------------------------------


  • 2.  RE: configuring WebSphere Liberty to prevent host header injection?

    Posted Tue September 05, 2023 01:19 PM

    The only available option in the server configuration is to limit the hostnames that are mapped to the default_host virtual host or deploy your app to a virtual host that is similarly restricted.

    A recipe can be seen here: https://publib.boulder.ibm.com/httpserv/ihsdiag/vulnerabilities.html#configure-was-to-only-execute-your-web-modules-application-only-on-specific-hostnames

    On the topic of the vulnerability itself, in my personal opinion it seems like a scare tactic from the pen-test industrial complex:

    > Risk: It is possible to deface the site content through web-cache poisoning

    HTTP caches uses the Host: header as part of the cache key. To the extent your real servers configuration matters at all, it can only result in a cached response for a hostname no victim will use. If the attacker also has to get the victim to click on a link to a malicious hostname (that they encourage you to configure your application to not accept), they can already show them anything they want there without the use of any cache or your application server.



    ------------------------------
    Eric Covener
    ------------------------------



  • 3.  RE: configuring WebSphere Liberty to prevent host header injection?

    Posted Wed September 06, 2023 05:44 AM

    Hi Rod,

    This looks very familiar to the CIS Benchmark which could be a possible way forward too ,  maybe this is could help fix the risk.

    https://workbench.cisecurity.org/sections/1102593/recommendations/1738402

    Thanks

    Shiv



    ------------------------------
    Thanks,
    Shiv

    Shivraj Mudaliyar
    Associate Director | Enterprise Architecture
    Kyndryl Ireland
    ------------------------------