HTTP Host header attack

[fraenku]

The class UrlUtils is using the methodgetServerName()of the HttpServletRequest.
This method indeed is not secure since it could be manipulated through the host-header

See also: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html)
or: https://find-sec-bugs.github.io/bugs.htm#SERVLET_SERVER_NAME

See also: https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java
for a list of potential request headers which are manipulable.

[ibaskine]

This issue is detected by Burp Scanner, which makes it difficult selling products based on Spring Security to security conscious customers. Are there any plans fixing this issue or is there any workaround?

[fraenku]

Some progress on this? issue is open since April...
The issue above leaded to an attack where an URL in an e-mail could be manipulated (which can be easily used for phising-attacks)

[ibaskine]

Just wander. Can I use code snippet below for getting server name?

new java.net.URI(request.getRequestURL().toString()).getHost()

[rady66]

What is the progress here? Could hardly believe action has not been taken for such security issue almost two years.

[gjoseph]

FWIW SourceClear reports this as a vulnerability (https://www.sourceclear.com/vulnerability-database/security/incorrect-headers-handling/java/sid-20558) - any chance this could get patched up soon?

[jzheaux]

Since the Host header is untrusted information, we should likely consider whitelisting as a solution. StrictHttpFirewall is the most suitable, so I'd propose adding a method StrictHttpFirewall#setAllowedHostnames(Predicate), which would ensure the hostname in HttpServletRequest is a known good value.

The application would need to set this value like so:

void configure(WebSecurity web) {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowedHostnames(hostname -> hostname.equals("example.org"));
    web
        .httpFirewall(firewall);
}

With this solution, UrlUtils would still invoke request.getServerName(), but it would be a known good value at that point.

@fraenku would this address the issue?