Penetration test and request Host header
- From: James <jconnell1969@xxxxxxxxx>
- Date: Tue, 16 Jun 2009 11:47:27 -0700 (PDT)
Hi all,
We were recently dinged during a client's penetration test. The issue
revolves around an intentionally incorrect Host header in a request to
IIS. Specifically, the request is for a directory as in
https://our.domain.com/dir/dir2. Note the lack of a trailing slash on
the URL.
The tester crafted a request to our server that looked like the
following. Note the Host header that contains a domain that is not
ours:
GET /dir1/dir2 HTTP/1.0
Host: www.google.com
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
The response from IIS looks like
HTTP/1.1 301 Moved Permanently
Content-Length: 159
Content-Type: text/html
Location: https://www.google.com/dir1/dir2/
Date: Tue, 16 Jun 2009 15:11:26 GMT
Connection: close
[snipped response HTML ]
Note the Location header in the response - it's a redirect to google.
The server has one website configured, port 80 is using a host header
and of course port 443 does not. Requests on port 80 were not a part
of the test.
It appears as though IIS wants to redirect the user-agent to a URL
with a trailing slash ( Location: https://www.google.com/dir1/dir2/ )
which works nicely when the correct Host header is passed. Is there
any way to force IIS to use our.domain.com for this redirection? MSDN
specifically ruled out the use of UseHostName property for this
purpose.
Any ideas? Any help would be appreciated.
Thanks in advance,
James
.
- Follow-Ups:
- Re: Penetration test and request Host header
- From: Ken Schaefer
- Re: Penetration test and request Host header
- Prev by Date: Re: IE messgae "This page contains both secure and nonsecure items"
- Next by Date: Re: IE messgae "This page contains both secure and nonsecure items
- Previous by thread: IE messgae "This page contains both secure and nonsecure items"
- Next by thread: Re: Penetration test and request Host header
- Index(es):
Relevant Pages
|
