3

The question is self explanatory, I hope. I am setting up a Spring Security enviroment with a CAS-server. Because the exact same application is deployed on the same server, but the server is accessible via different host names (.de domain, .com domain, possibly more than that) and we want to deploy the same application on test systems and the local one as well, I built a dynamic service, where the service URL is derived from request URL. 

public static String makeDynamicUrlFromRequest(ServiceProperties serviceProperties, HttpServletRequest request) {
        String serviceUrl = "https://backup-url.de/login";
        URI uri = null;
        try {
            uri = new URI(request.getRequestURL().toString());
        } catch (URISyntaxException e) {
            logger.error("Someone tried accessing a disallowed service!", e);
        }

        if(uri != null){
            serviceUrl = uri.getScheme() + "://" + uri.getHost() + "/login";
        }

        return serviceUrl;
    }

Is it possible to spoof this? If it is, does an additional regex-check provide me with the necessary security against this?

Schaka
  • 772
  • 9
  • 20
  • 1
    What do you mean by spoofable? What kind of attack do you want to defend against? – biziclop Jun 29 '15 at 09:50
  • I'm not entirely sure yet. If someone was able to modify the requestURL, the CAS-Server would redirect back to their own server. I'm not exactly sure what they could do with this but I found an issue in spring-security's JIRA explaining that they made ServiceProperties.getService() a final method for security reasons. – Schaka Jun 29 '15 at 11:40
  • If they modified the request url how would you have gotten the request? – developerwjk Jun 29 '15 at 23:15
  • It might be they request the correct URL and somehow modify the value I receive, that's why I asked whether it's spoofable. I suppose this answers my question - as in, it's not. I thought it might be like a modifiable header or something. I wasn't sure, hence the question. – Schaka Jun 30 '15 at 06:59

1 Answers1

2

@developerwjk
"If they modified the request url how would you have gotten the request?"
An HTTP server is just a program that listens on a TCP port, waits for some incoming text and writes out some text as a response. (A trivial web server can be written in like 20 lines of code.) It only sees the IP address and port of whatever connected to it. That could even be a proxy, or some other sort of middle-ware. If you don't tell the program "by the way, I reached you through the URL http://my.com/myapp/servlet" then it just doesn't know e.g. how a browser will reach it.

@Schaka I don't know about your particular setup, but for jetty9, the result of getRequestURL is determined from the request URL in the request header, and - if the former is missing - the URL in the Host parameter. That is, if you connect to my.com and send the following request:

POST http://spoofed1.tld/myapp/servlet HTTP/1.1
Host: spoofed2.tld

(Keep in mind that the Host parameter is mandatory.)
Then getRequestURL will return http://spoofed1.tld/myapp/servlet

And if you send this:

POST /myapp/servlet HTTP/1.1
Host: spoofed2.tld

Then jetty itself will respond with

HTTP/1.1 302 Found
Location: http://spoofed2.tld/myapp/servlet
Content-Length: 0
Server: Jetty(<some version number>)

So the answer is yes, HttpServletRequest.getRequestURL() is spoofable! by modifying the request URL and/or the Host request header.

Niko O
  • 406
  • 3
  • 15
  • And yes, this question is like 6 years old, but I couldn't find any answer by googling, so I had to find out for myself how this works. Hopefully this will help other people waste less time. – Niko O Oct 19 '21 at 09:48
  • Yea ... but I'm not sure that counts as spoofing, or how it could be exploited. – Stephen C Oct 19 '21 at 11:18
  • @StephenC It can be used to redirect the client to a spoofed location. It is a common item checked during penetration testing (you may guess why I know...). E.g. "does the server respond with 302 that contains the spoofed address as if it was valid data." A secure server should reject such requests. – Torben Oct 19 '21 at 11:54
  • @StephenC Spoofing just means to trick your communication partner into believing B, where it's actually A. So yeah, that's spoofing alright. Whether or not that can be exploited depends on what you do with it. If you use the result from `getRequestURL` to generate a link, store that in the database and then show that link to another user, then you have a vulnerability. (Even if there are no encoding/injection/sanetization problems.) – Niko O Oct 19 '21 at 13:05