How to mitigate against Internal IP Address disclosure in Basic Authentication Header
In some cases, web servers may be prone to sharing internal IP addresses in response to specially crafted queries. One example where this may occur is when a query is sent over HTTP 1.0 with a blank Host Header to an IIS server using basic authentication.
An example configuration is provided below:
The domain name resolution is as follows:
www.domain.com 10.140.0.223
The Real Server (10.140.0.222) uses IIS Web Services and has Basic Authentication enabled.
Problem
In the normal case, when we connect to the server it responds with a 401 which requires the user to log in. The WWW-Authenticate Basic realm is set to the domain name we queried.
kemptech@LC-161:~$ curl http://www.domain.com -v -l --http1.0
> GET / HTTP/1.0
> User-Agent: curl/7.35.0
> Host: www.domain.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
* Server Microsoft-IIS/8.5 is not blacklisted
< Server: Microsoft-IIS/8.5
< WWW-Authenticate: Basic realm="www.domain.com"
< Date: Fri, 06 Feb 2015 13:29:30 GMT
< Connection: close
< Content-Length: 1293
When a request is made with a blank host header, the server reverts to including its own IP in this header, thus exposing an internal address (in this case 10.140.0.222 to public clients).
When we send a blank Host Header:
kemptech@LC-161:~$ curl http://www.domain.com -v -l --http1.0 --Header 'Host: '
> GET / HTTP/1.0
> User-Agent: curl/7.35.0
> Accept: */*
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
* Server Microsoft-IIS/8.5 is not blacklisted
< Server: Microsoft-IIS/8.5
< WWW-Authenticate: Basic realm="10.140.0.222"
< Date: Fri, 06 Feb 2015 13:28:53 GMT
< Connection: close
< Content-Length: 1293
Solution
Typically, issues such as these should be resolved on the server side. However, if necessary the following Content Rule on the LoadMaster can be used to block any internal IP addresses from being exposed.
The rule will match any WWW-Authenticate Header which includes an IP address in the WWW-Authenticate field and replace this with the domain name.
Header Modification
> GET / HTTP/1.0
> User-Agent: curl/7.35.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
* Server Microsoft-IIS/8.5 is not blacklisted
< Server: Microsoft-IIS/8.5
< WWW-Authenticate: Basic realm="www.domain.com"
< Date: Fri, 06 Feb 2015 14:16:48 GMT
< Connection: close
< Content-Length: 1293