|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Penetration test and request Host headerWe were recently dinged during a client's penetration test. The issue revolves around an intentionally incorrect Host header in a request to IIS. Specifically, the request is for a directory as in https://our.domain.com/dir/dir2. Note the lack of a trailing slash on the URL. The tester crafted a request to our server that looked like the following. Note the Host header that contains a domain that is not ours: GET /dir1/dir2 HTTP/1.0 Host: www.google.com Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) The response from IIS looks like HTTP/1.1 301 Moved Permanently Content-Length: 159 Content-Type: text/html Location: https://www.google.com/dir1/dir2/ Date: Tue, 16 Jun 2009 15:11:26 GMT Connection: close [snipped response HTML ] Note the Location header in the response - it's a redirect to google. The server has one website configured, port 80 is using a host header and of course port 443 does not. Requests on port 80 were not a part of the test. It appears as though IIS wants to redirect the user-agent to a URL with a trailing slash ( Location: https://www.google.com/dir1/dir2/ ) which works nicely when the correct Host header is passed. Is there any way to force IIS to use our.domain.com for this redirection? MSDN specifically ruled out the use of UseHostName property for this purpose. Any ideas? Any help would be appreciated. Thanks in advance, James Why should IIS change "www.google.com" to "our.domain.com"? That sounds like
an information disclosure vulnerability that your penetration testers are probably going to "ding" you on. When the request comes in for https://www.google.com then http.sys can reject it, as you don't have anything listening for that specifically. Cheers Ken Show quoteHide quote "James" <jconnell1***@yahoo.com> wrote in message news:6ac4267d-ff5d-48b5-9f4f-f95b159c03ee@f19g2000yqo.googlegroups.com... > Hi all, > > We were recently dinged during a client's penetration test. The issue > revolves around an intentionally incorrect Host header in a request to > IIS. Specifically, the request is for a directory as in > https://our.domain.com/dir/dir2. Note the lack of a trailing slash on > the URL. > > The tester crafted a request to our server that looked like the > following. Note the Host header that contains a domain that is not > ours: > > GET /dir1/dir2 HTTP/1.0 > Host: www.google.com > Accept: */* > Accept-Language: en-US > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > The response from IIS looks like > > HTTP/1.1 301 Moved Permanently > Content-Length: 159 > Content-Type: text/html > Location: https://www.google.com/dir1/dir2/ > Date: Tue, 16 Jun 2009 15:11:26 GMT > Connection: close > > [snipped response HTML ] > > Note the Location header in the response - it's a redirect to google. > > The server has one website configured, port 80 is using a host header > and of course port 443 does not. Requests on port 80 were not a part > of the test. > > It appears as though IIS wants to redirect the user-agent to a URL > with a trailing slash ( Location: https://www.google.com/dir1/dir2/ ) > which works nicely when the correct Host header is passed. Is there > any way to force IIS to use our.domain.com for this redirection? MSDN > specifically ruled out the use of UseHostName property for this > purpose. > > Any ideas? Any help would be appreciated. > > Thanks in advance, > James 
Other interesting topics
certificate question
status code 200 logged in log file IIS IE messgae "This page contains both secure and nonsecure items" 2003/IIS6 Permissions maze..... IIS Security - Default installations on Vista Why does IIS ask for a password when I type http://localhost? how do I manage IIS? Securing virtual directories Logs in Windows Server |
|||||||||||||||||||||||
