Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-27812

Provide option in HBase UI to disable stack trace for security



    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 2.6.0, 3.0.0-alpha-4
    • UI
    • None
    • Reviewed


      Uncaught server exceptions occur when providing parameter values that the server or servlet does not understand.
      Physical paths, versioning information, stack traces' content, and other data can be gathered and used to help further an attack when improper error handling is present.

      Applications should always fail safe in their designs. If an application fails to an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality, or worse, create, modify or destroy data. Error messages may also aid in the identification of other attacks such as buffer overflows and SQL injection, and can generally contribute to an overall weaker security posture.

      For example, if we use a HTTPS web server and explicitly provide Host header with a wrong value, say attackers.com, we get the following response in UI:

      <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
      <title>Error 400 Host does not match SNI</title>
      <body><h2>HTTP ERROR 400 Host does not match SNI</h2>
      <tr><th>MESSAGE:</th><td>Host does not match SNI</td></tr>
      <tr><th>CAUSED BY:</th><td>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI</td></tr>
      <h3>Caused by:</h3><pre>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI
         at org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:279)
         at org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:210)
         at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:483)
         at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
         at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
         at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:439)
         at org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
         at org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
         at java.lang.Thread.run(Thread.java:750)



        Issue Links



              yashdodeja Yash Dodeja
              yashdodeja Yash Dodeja
              0 Vote for this issue
              4 Start watching this issue