Internal IP Header Disclosure on Virtual Services
Information
Summary: |
Looking to mitigate internal virtual service IP from being disclosed through a vulnerability scan. |
Environment: |
Product: VLM-3000 Version: Any Platform: Any Application: Any |
Question/Problem Description: |
Security scanner is reporting a vulnerability on several servers with internal IP header disclosure, and we tried the solutions mentioned on your site for the Basic Authentication Header and Real Server Redirects but the vulnerability still exists. |
Steps to Reproduce: | Run a vulnerability scan to the virtual service, and it will report that the internal IP is being exposed. |
Error Message: | "Web Server HTTP Header Internal IP Disclosure Synopsis This web server leaks a private IP address through its HTTP headers" |
Defect Number: | |
Enhancement Number: | |
Cause: | Empty host headers in request |
Resolution: |
For this scenario, we typically recommend a method which involves creating two sub virtual services on the HTTP redirect VS and creating rules to prevent the internal IP disclosure. See below:
As an alternative, Replace Header Content Rules can be leveraged. The first step would be to determine which header is showing the IP. Common headers that may disclose the IP are Location or WWW-Authenticate. This can be determined by using Developer Tools on modern web browsers (F12 on Windows, CTRL + Shift + J on MAC prodcuts), then browsing to the site that's disclosing IPs. Once he header has been determined, navigate to the LoadMaster's web UI > Rules & Checking > Content Rules > Create New > change the Rule Type to Replace Header. Name your Rule, apply your match string as: /(.*)(\d+\.\d+\.\d+\.\d+)(.*)/ The Value of the header to be replaced is: \1www.domain.com\3 Click Create Rule. Once created, navigate to Virtual Services > View/Modify Services > modify the VS that www.domain.com resolves for > if necessary, modify your desired SubVS > Advanced Properties > HTTP Header Modifications > apply your newly created rule as a Response Rule. Also note that if this is a 443 VS, you won't see the HTTP Header Modifications field. This is because traffic must first be decrypted in order to inspect HTTP headers. SSL must first be enabled and a certificate needs to be applied before this field can be expected to appear. |
Workaround: | |
Notes: |