Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Virtual service to only answer only HTTP/1.1 requests

 

Information

 

Summary:

We are wanting to prevent internal IP disclosure of real server IPs, by allowing only HTTP/1.1 requests

Environment:

Product: VLM

Version: Any

Platform: Any

Application: HTTP web applications

Question/Problem Description:

What is the best way to configure our virtual service(s) to only answer only HTTP/1.1 requests?
This is to prevent the HTTP location response header on the Bell Direct and Desktop Broker web applications from revealing internal IP addresses.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: Web servers may be configured to send redirects to client requests. In some cases, specially crafted queries may be used to expose internal IP addresses. Typically this is done by sending a blank host header which can result in the server sending a redirect using its own IP address as the host name.
Resolution:

However we can configure kemp to remove/strip out the HTTP location response header that is exposing the internal server IP.

https://support.kemptechnologies.com/hc/en-us/articles/203522429-How-to-Mitigate-Against-Internal-IP-Address-Domain-Name-Disclosure-In-Real-Server-Redirects 

Workaround:  
Notes: https://support.kemptechnologies.com/hc/en-us/articles/203522429-How-to-Mitigate-Against-Internal-IP-Address-Domain-Name-Disclosure-In-Real-Server-Redirects 

Was this article helpful?
0 out of 0 found this helpful

Comments