Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Recently worked on interesting case where internal IP address was revealed whenever we try to query through wfetch tool
Request Flow
==========
Client -> ISA -> IIS 7
x.x.x.30 ->x.x.x.10-> x.x.x.20
We have DNS installed on ISA server, having A record entry iistest.com pointing to x.x.x.20
First thought was to follow kb 834141 , we ran following command on IIS 7 box (it’s new install)
C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"iistest.com" /commit:apphost
That didn't help . Thought to capture Netmon sniffer trace for :
1) Request from wfetch
2) Request from IE
Request:
GET /exchange/ HTTP/1.0
Response:
HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://X.X.X.20/exchweb/bin/auth/owalogon.asp ?url=https://X.X.X.20/exchange/&reason=0&replaceCurrent=1
Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 02 Dec 2008 15:49:46 GMT
Connection: close
Request:
GET /exchange HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: iistest
Connection: Keep-Alive
Response:
HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://iistest/exchweb/bin/auth/owalogon.asp?url=https://iistest/exchange&reason=0&replaceCurrent=1
Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 02 Dec 2008 15:51:50 GMT
The difference between two requests is HTTP/1.0 and HTTP/1.1 protocol. What I can make
“HTTP/1.1 requires requests to include a Host header”
HTTP/1.0 assumed that a GET would be sent directly to the correct server (with a relative path). So this relative path is translating into IP.
Bingo!! now we know whenever we get 302 request on HTTP/1.0 , internal IP address is revealed
Points is how to disable HTTP/1.0 requests from server side:
1) You can write your own ISAPI filter/Module to scan incoming headers and reject it if its on HTTP/1.0 protocol
2) Or Use URL Rewrite module on IIS 7
I followed the later approach and created rewrite rule in web.config for Default website location (C:\inetpub\wwwroot )
<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
</system.webServer>
This rule blocked requests coming on HTTP/1.0 with page cannot be displayed you can modify rule to show error page stating HTTP/1.0 not allowed. :)
Comments
- Anonymous
May 22, 2014
Blocking HTTP/1.0 is a pretty lousy idea, since what you're really trying to block is requests without a HOST header, which HTTP/1.0 requests often have. HTTP/1.1 requests are required to send a HOST header but that doesn't mean that a bad guy will do so.