Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Preventing Data Leakage

 

Information

 

Summary:

Simple steps to prevent data leakage

Environment:

Product: LoadMaster

Version:7.2.57

Platform: Any

Application: Any

Question/Problem Description:

How to prevent the leaking of server system information when routing the response through the LoadMaster.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

Some headers (such as the "server" header) can sometimes inadvertently disclose information about the systems in a network environment.

The port 80 Redirect can sometimes leak IP information about the real server.

Resolution:

The "Server" header can contain information about the current version of the web server. This can be important information for bad actors and pen testers alike. By removing the header when it passes back through the LoadMaster (LM) this information is harder to attain.

 

To remove the server header create a rule as follows:

Rule Type: Delete header

Rule name : remove_server_header

Match String : server

Perform If Flag Set: [Unset]

Perform If Flag is NOT Set: [Unset]

delete_server_header.png

Add to "Response Rules" on the virtual service under "Advanced Properties -> Show Header Rules"

add_rule_to_response_rules.png

 

Select the rule based on name and click the Add button.

The rule should now be added as shown in the below screenshot.

rule_added.png

 

Locking Down the port 80 Redirect:

When using a port 80 redirect by default the LM will create a 302 redirect using the following "https://%h%s" where %h is the same host and %s is the same path.

With a specially crafted query this can disclose the internal IP structure of the virtual service.

port_80_redirect.png

 

To prevent this a better redirect would instead be set to the domain such as "https://www.domain.com%s". This would then have the FQDN of the site and not an IP of the real server.

better_redirect.png

Workaround:  
Notes:  

Comments