Dangerous Hostname Check

ID

java.dangerous_hostname_check

Severity

high

Resource

Risky Values

Language

Java

Tags

CWE:350, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.8

Description

Dangerous checks against client-side hostname occur when an application resolves hostnames in a way that does not adequately enforce security policies or proper validation checks. This could result in DNS rebinding attacks or connections to unintended hosts, introducing potential risks like data interception or unauthorized access.

Rationale

Improper validation of hostnames can lead to significant security risks. If an application resolves a hostname that an attacker controls or can manipulate, it may connect to a malicious server instead of a legitimate one.

Attackers could exploit this by implementing DNS rebinding attacks or serving malicious content under a trusted hostname. Consequently, it’s vital to validate and verify hostnames to ensure the expected communication endpoint and data integrity.

For example, consider the following Java code, which is susceptible to this vulnerability:

import java.net.InetAddress;
import java.net.UnknownHostException;

public class HostnameCheck {
    public static void main(String[] args) {
        String hostname = "example.com";
        try {
            InetAddress inetAddress = InetAddress.getByName(hostname);
            System.out.println("IP address: " + inetAddress.getHostAddress());
        } catch (UnknownHostException e) {
            e.printStackTrace();
        }
    }
}

In this example, the code does not conduct any additional validation of the resolved IP address. This oversight can lead to DNS rebinding attacks, where 'example.com' may resolve to an attacker-controlled server.

Remediation

To remediate this vulnerability, the application should enforce hostname validation policies and include fallback mechanisms for unexpected resolutions. Follow these steps to mitigate risks associated with dangerous hostname resolution:

  1. Whitelist Hostnames: Maintain a list of allowed hostnames. Before establishing a connection, verify that the resolved hostname or IP address is part of an approved list.

  2. Reverse Lookup Verification: Conduct reverse DNS lookup to ensure the IP address maps back to the expected hostname.

  3. Use of Secure DNS: Leverage DNS over HTTPS (DoH) or DNSSEC to ensure the integrity and authenticity of hostname resolutions.

  4. Implement Custom Hostname Validators: Develop custom logic to ensure that hostnames conform to expected formats or resolve to trusted IP addresses.

References

  • CWE-350 : Reliance on Reverse DNS Resolution for a Security-Critical Action.

  • CAPEC-275 : DNS Rebinding.

  • CAPEC-142 : DNS Cache Poisoning.