Tomcat displaying stack traces on bad requests

[ssoper-usgs]

Related to issue: #299

Our organization runs a security scan against our implementation of FROST-Server. The scan notes a vulnerability resulting from a tomcat-level stack trace. The curl command that is run to provoke the tomcat stack trace looks like this:

curl -i \
	-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" \
	-H "Accept-Language: en-us,en;q=0.5" \
	-H "Cache-Control: no-cache" \
	-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/104.0.5112.102 Safari/537.36" \
	https://<our domain name>/FROST-Server/v1.1/?'"--></style></scRipt><scRipt>netsparker(0x000073)</scRipt> HTTP/1.1"="'

The resulting error looks like this:

HTTP/2 400 
date: Fri, 10 Mar 2023 21:42:07 GMT
content-type: text/html;charset=utf-8
content-length: 2253
content-language: en

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the request target [&#47;FROST-Server&#47;v1.1&#47;?&quot;--&gt;&lt;&#47;style&gt;&lt;&#47;scRipt&gt;&lt;scRipt&gt;netsparker(0x000073)&lt;&#47;scRipt&gt; ]. The valid characters are defined in RFC 7230 and RFC 3986</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: Invalid character found in the request target [&#47;FROST-Server&#47;v1.1&#47;?&quot;--&gt;&lt;&#47;style&gt;&lt;&#47;scRipt&gt;&lt;scRipt&gt;netsparker(0x000073)&lt;&#47;scRipt&gt; ]. The valid characters are defined in RFC 7230 and RFC 3986
	org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:494)
	org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:271)
	org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
	org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
	org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.base&#47;java.lang.Thread.run(Thread.java:829)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.72</h3></body></html>

Interestingly, when I run a similar curl command against the demo frost server:

curl -i \
	-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" \
	-H "Accept-Language: en-us,en;q=0.5" \
	-H "Cache-Control: no-cache" \
	-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/104.0.5112.102 Safari/537.36" \
	https://ogc-demo.k8s.ilt-dmz.iosb.fraunhofer.de/v1.1/?'"--></style></scRipt><scRipt>netsparker(0x000073)</scRipt> HTTP/1.1"="'

I get the desired output I'd love to have on our own implementation, which looks like this:

HTTP/1.0 400 Bad request
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>

I'm wondering if you have any pointers on how I can get the above 400 bad request output when launching the demonstrated api call against our own FROST-Server api, so that we can pass our security scan. Are there configuration changes we can make? We currently deploy our implementation of FROST-Server using docker. Thanks!

[hylkevds]

As mentioned in #299, FROST is never involved in these calls, since Tomcat directly rejects the request.

The ogc-demo service returns a different error because that service is running on a Kubernetes cluster and thus FROST is behind an NGINX reverse proxy that blocks the invalid request.

To change this in the Docker image, you'll have to

1. figure out how to configure Tomcat to change the error message
2. build a custom FROST image, with that configuration applied
3. (optionally) create a PR to have the improvement in future FROST versions.

Note that the stack-trace contains no useful information for an attacker, except maybe that the service runs on Tomcat. But most attackers will already have guessed that earlier.

[ssoper-usgs]

@hylkevds I agree with you that there is nothing in that stack trace of value to an attacker, but the security scan performed regularly by my org will still detect it and force us to make an update to remove the stack traces. Thanks for the advice, I had found similar tips elsewhere regarding adjusting tomcat itself but was hoping to avoid doing that if possible. I'll report back on anything I can come up with.