Freigeben über

IIS 7: IP Address revealed on redirection requests on HTTP/1.0 protocol

  • Artikel

Recently worked on interesting case where internal IP address was revealed whenever we try to query through wfetch tool

Request Flow
==========
Client -> ISA -> IIS 7
x.x.x.30 ->x.x.x.10-> x.x.x.20

We have DNS installed on ISA server, having A record entry iistest.com pointing to x.x.x.20

First thought was to follow kb 834141 , we ran following command on IIS 7 box (it’s new install)
C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"iistest.com" /commit:apphost

That didn't help . Thought to capture Netmon sniffer trace for :
1) Request from wfetch
2) Request from IE

Request:
GET /exchange/ HTTP/1.0

Response:
HTTP/1.1 302 Moved Temporarily
Content-Length: 0

Location: https://X.X.X.20/exchweb/bin/auth/owalogon.asp ?url=https://X.X.X.20/exchange/&reason=0&replaceCurrent=1

Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 02 Dec 2008 15:49:46 GMT
Connection: close

Request:
GET /exchange HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: iistest
Connection: Keep-Alive

Response:
HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://iistest/exchweb/bin/auth/owalogon.asp?url=https://iistest/exchange&reason=0&replaceCurrent=1

Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 02 Dec 2008 15:51:50 GMT

 

The difference between two requests is HTTP/1.0 and HTTP/1.1 protocol. What I can make

“HTTP/1.1 requires requests to include a Host header”

HTTP/1.0 assumed that a GET would be sent directly to the correct server (with a relative path). So this relative path is translating into IP.

Bingo!! now we know whenever we get 302 request on HTTP/1.0 , internal IP address is revealed
Points is how to disable HTTP/1.0 requests from server side:

1) You can write your own ISAPI filter/Module to scan incoming headers and reject it if its on HTTP/1.0 protocol
2) Or Use URL Rewrite module on IIS 7

I followed the later approach and created rewrite rule in web.config for Default website location (C:\inetpub\wwwroot )

    <rewrite>
            <rules>
              <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                    <conditions>
                        <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
                    </conditions>
                    <action type="AbortRequest" />
                </rule>
            </rules>
    </rewrite>
    </system.webServer>

This rule blocked requests coming on HTTP/1.0 with page cannot be displayed you can modify rule to show error page stating HTTP/1.0 not allowed. :)

Comments

  • Anonymous
    May 22, 2014
    Blocking HTTP/1.0 is a pretty lousy idea, since what you're really trying to block is requests without a HOST header, which HTTP/1.0 requests often have. HTTP/1.1 requests are required to send a HOST header but that doesn't mean that a bad guy will do so.