Host HTTP Header(s) and X-Forwarded-Host in PRPC 7.1.8
Does Pega use these, or expect these headers to have certain values? I think not based on what I'm getting from our security team, but what can I/should I do about it?
We had a whitehat scan of our application; the team reports that it's possible to inject Host [HTTP] header and X-Forwarded-Host and Pega is passing these back unmodified, which is a vulnerability for attack.
So, does Pega use these? I note that in 7.2.1, X-Forwarded-* will "replace" ContextRewriteEnabled mechanism for generating absolute URLs; but can I just (for now) disable these?
How would I do that? Is this an application server setting, or web server, or what? (We have an F5 fronting IHS web server, and Websphere Application Server [8.5, if I recall, but I'm not sure the version]; so what config do I need to change?)
Or, is Pega using these, and if so, how are bad values being passed thru??
***Updated by Moderator: Marissa to update categories***
Pegasystems Inc.
US
Hi Greg-
The following document seems to indicate there is a way to address this via the web server via “creating a dummy vhost that catches all requests with unrecognized Host headers.” http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
Pegasystems Inc.
US
I checked the source for 7.1.8 and there is no code that looks for x-forwarded headers. I also injected some headers via a proxy setup and didn't see them getting echoed back from PRPC.
This might be caused by other layers like IHS or F5 but never seen these just echo headers back either. Have you tested this directly going to WebSphere JVM port and bypass all other layers? Then start adding layers like IHS then F5.
FYI: In 7.1.9 the checks for the headers were added but missing some other related code so there is a Hfix that removes checking for them: SA-16377