Hi, Our site was tested by one of the security scanner companies and found known vulnerability. It sounds as "Information Leakage is an application weakness where an application reveals sensitive data". I need help to update server settings to hide error details, not do display server technlogy details. They run curl command as: C:\curl\bin\curl.exe -i -s -k -X "GET" -H "Accept: application/json,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" -H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" -H "Accept-Language: en-us,en;q=0.5" -H "Host: whs'check" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Software Security Group" "https://www.[mysite.com]/" The output is resulting in java stack error as: <!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> The character ['] is never valid in a domain name.</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: The character ['] is never valid in a domain name.
org.apache.tomcat.util.http.parser.HttpParser$DomainParseState.next(HttpParser.java:966)
org.apache.tomcat.util.http.parser.HttpParser.readHostDomainName(HttpParser.java:842)
org.apache.tomcat.util.http.parser.Host.parse(Host.java:66)
org.apache.tomcat.util.http.parser.Host.parse(Host.java:40)
org.apache.coyote.AbstractProcessor.parseHost(AbstractProcessor.java:293)
org.apache.coyote.ajp.AjpProcessor.prepareRequest(AjpProcessor.java:1062)
org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:523)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745) The culprit is: "Host: whs'check". Where the illegal character single quotation "'". I ran the test with different characters. I replaced "'" with "|" or "{". The application is generating just 400 error with no java stack as: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML> I tried few things like adding an entry to server.xml file <Connector port=".... relaxedQueryChars="'"> Also, I tried to add to catalina.properties tomcat.util.http.parser.HttpParser.requestTargetAllow='
or
tomcat.util.http.parser.HttpParser.requestTargetAllow="'" Nothing seem to work. We run CF2016 with Tomcat 8.5.42 Thank you
... View more