Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Content Delivery

How to mitigate against Internal IP Address disclosure in Basic Authentication Header

Updated

In some cases, web servers may be prone to sharing internal IP addresses in response to specially crafted queries. One example where this may occur is when a query is sent over HTTP 1.0 with a blank Host Header to an IIS server using basic authentication.

An example configuration is provided below:

The domain name resolution is as follows:

www.domain.com 10.140.0.223 

The Real Server (10.140.0.222) uses IIS Web Services and has Basic Authentication enabled.

Problem

In the normal case, when we connect to the server it responds with a 401 which requires the user to log in. The WWW-Authenticate Basic realm is set to the domain name we queried.

kemptech@LC-161:~$ curl http://www.domain.com -v -l --http1.0
> GET / HTTP/1.0
> User-Agent: curl/7.35.0
> Host: www.domain.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
* Server Microsoft-IIS/8.5 is not blacklisted
< Server: Microsoft-IIS/8.5
< WWW-Authenticate: Basic realm="www.domain.com"
< Date: Fri, 06 Feb 2015 13:29:30 GMT
< Connection: close
< Content-Length: 1293

When a request is made with a blank host header, the server reverts to including its own IP in this header, thus exposing an internal address (in this case 10.140.0.222 to public clients).

When we send a blank Host Header:

kemptech@LC-161:~$ curl http://www.domain.com -v -l --http1.0 --Header 'Host: '
> GET / HTTP/1.0
> User-Agent: curl/7.35.0
> Accept: */*

< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
* Server Microsoft-IIS/8.5 is not blacklisted
< Server: Microsoft-IIS/8.5
< WWW-Authenticate: Basic realm="10.140.0.222"
< Date: Fri, 06 Feb 2015 13:28:53 GMT
< Connection: close
< Content-Length: 1293

Solution

Typically, issues such as these should be resolved on the server side. However, if necessary the following Content Rule on the LoadMaster can be used to block any internal IP addresses from being exposed.

The rule will match any WWW-Authenticate Header which includes an IP address in the WWW-Authenticate field and replace this with the domain name.

 

Header Modification

Rule Type: Replace Header
Header Field: WWW-Authenticate
Match String: /(Basic realm=)(\"[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\")/
Replacement: \1"domain.com"
 
 
This can then be added to the Virtual Service: Virtual Services > View/Modify Services > Advanced Properties > HTTP Header Modifications > Response Rules.
 
 
The internal address is now hidden in all responses and replaced with www.domain.com:
 
kemptech@LC-161:~$ curl http://www.domain.com -v -l --http1.0 --Header 'Host: '
> GET / HTTP/1.0
> User-Agent: curl/7.35.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
* Server Microsoft-IIS/8.5 is not blacklisted
< Server: Microsoft-IIS/8.5
< WWW-Authenticate: Basic realm="www.domain.com"
< Date: Fri, 06 Feb 2015 14:16:48 GMT
< Connection: close
< Content-Length: 1293
 

Comments

In this document