Re: Penetration test and request Host header


Why should IIS change "www.google.com" to "our.domain.com"? That sounds like an information disclosure vulnerability that your penetration testers are probably going to "ding" you on.

When the request comes in for https://www.google.com then http.sys can reject it, as you don't have anything listening for that specifically.

Cheers
Ken

--
http://adopenstatic.com/blog

"James" <jconnell1969@xxxxxxxxx> wrote in message news:6ac4267d-ff5d-48b5-9f4f-f95b159c03ee@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,

We were recently dinged during a client's penetration test. The issue
revolves around an intentionally incorrect Host header in a request to
IIS. Specifically, the request is for a directory as in
https://our.domain.com/dir/dir2. Note the lack of a trailing slash on
the URL.

The tester crafted a request to our server that looked like the
following. Note the Host header that contains a domain that is not
ours:

GET /dir1/dir2 HTTP/1.0
Host: www.google.com
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

The response from IIS looks like

HTTP/1.1 301 Moved Permanently
Content-Length: 159
Content-Type: text/html
Location: https://www.google.com/dir1/dir2/
Date: Tue, 16 Jun 2009 15:11:26 GMT
Connection: close

[snipped response HTML ]

Note the Location header in the response - it's a redirect to google.

The server has one website configured, port 80 is using a host header
and of course port 443 does not. Requests on port 80 were not a part
of the test.

It appears as though IIS wants to redirect the user-agent to a URL
with a trailing slash ( Location: https://www.google.com/dir1/dir2/ )
which works nicely when the correct Host header is passed. Is there
any way to force IIS to use our.domain.com for this redirection? MSDN
specifically ruled out the use of UseHostName property for this
purpose.

Any ideas? Any help would be appreciated.

Thanks in advance,
James

.

Relevant Pages

  • Re: IIS 6.0 - no host header value - Are host header requests proc
    ... The packets may not be malformed - it may be that the end client is using a DNS server that is incorrectly configured. ... In the case that a request comes in with a host header that matches none of the websites on your machine, then IIS will look for a site that is listening with no host header value *and* specifically bound to the IP address that the request came in on. ...
    (microsoft.public.inetserver.iis.security)
  • host header names as security devices
    ... I am curious if the use of a host header name ... In the event of an HTTP request sent to the IP address (rather than to the ... hostname) of an IIS server running a web site configured with an IIS host ... match a configured host header name and there was no default site to return. ...
    (Focus-Microsoft)
  • Penetration test and request Host header
    ... We were recently dinged during a client's penetration test. ... revolves around an intentionally incorrect Host header in a request to ... Note the Host header that contains a domain that is not ... The response from IIS looks like ...
    (microsoft.public.inetserver.iis.security)
  • Re: Mutliple sites needing to communicate over SSL on one IIS server
    ... it is not a limitation of IIS. ... The request (including the ... webserver) to find out what the host header is. ... "HTTP 1.1 Host Headers Are Not Supported When You Use SSL" ...
    (microsoft.public.inetserver.iis)
  • [Full-Disclosure] RE: COELACANTH: Phreak Phishing Expedition]
    ... everybody ignores the host header. ... will cause bad request returns with some web servers. ... > security zone it should use to render the HTML. ...
    (Full-Disclosure)