JBOSS 6.4.20 validates special characters like curly braces and throws 400 bad request error

Question

I already had handled a scenario of URL tampering where I have filter with regex that compare the query strings and if there are any esacpe or special characters in it that it returns a customized message of "Invalid Parameters" which is shown on the screen.

Now this was working fine till we were using JBOSS 6.4.10 but after upgrading it to JBOSS 6.4.20, it is not even hitting the filter, somewhere JBOSS 6.4.20 is validating the request URI having escape characters/curly braces in my case and throws a 400 bad request error.

Please avoid providing solutions like upgrade to JBOSS 7 or etc. I am aware that JBOSS 7 has a flag "ALLOW_UNESCAPED_CHARACTERS_IN_URL" that resolved this issue but I cannot use JBOSS 7.

score 0 · Answer 1 · answered Feb 09 '19 at 04:50

As far as I know, this behavior is related with the following security vulnerability: CVE-2016-6816 . Try the tomcat.util.http.parser.HttpParser.requestTargetAllow sytem property. Any characters listed in the value of this property will be allowed again. Another alternative is to downgrade to JBoss EAP 6.4.12 or earlier.

score 0 · Answer 2 · edited Jul 19 '19 at 10:24

0

Add the following in argument Standalone.conf file

JAVA_OPTS="$JAVA_OPTS -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='{|}'"

edited Jul 19 '19 at 10:24

xskxzr

12,442
12
37
77

answered Jul 19 '19 at 10:02

Rohit B

1

JBOSS 6.4.20 validates special characters like curly braces and throws 400 bad request error

2 Answers2