IIS 7: IP Address revealed on redirection requests on HTTP/1.0 protocol

by jask2002 9. February 2012 04:52

Recently worked on interesting case where internal IP address was revealed whenever we try to query through wfetch tool

Request Flow
==========
Client -> ISA -> IIS 7
x.x.x.30 ->x.x.x.10-> x.x.x.20

We have DNS installed on ISA server, having A record entry iistest.com pointing to x.x.x.20
First thought was to follow kb 834141 , we ran following command on IIS 7 box (it’s new install)
C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"iistest.com" /commit:apphost

That didn't help . Thought to capture Netmon sniffer trace for :
1) Request from wfetch
2) Request from IE

Request:
GET /exchange/ HTTP/1.0

Response:
HTTP/1.1 302 Moved Temporarily
Content-Length: 0

Location: http://X.X.X.20/exchweb/bin/auth/owalogon.asp?url=http://X.X.X.20/exchange/&reason=0&replaceCurrent=1

Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 02 Dec 2008 15:49:46 GMT
Connection: close

Request:
GET /exchange HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: iistest
Connection: Keep-Alive

Response:
HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://iistest/exchweb/bin/auth/owalogon.asp?url=http://iistest/exchange&reason=0&replaceCurrent=1

Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 02 Dec 2008 15:51:50 GMT

The difference between two requests is HTTP/1.0 and HTTP/1.1 protocol. What I can make

“HTTP/1.1 requires requests to include a Host header”

HTTP/1.0 assumed that a GET would be sent directly to the correct server (with a relative path). So this relative path is translating into IP.

Bingo!! now we know whenever we get 302 request on HTTP/1.0 , internal IP address is revealed
Points is how to disable HTTP/1.0 requests from server side:

1) You can write your own ISAPI filter/Module to scan incoming headers and reject it if its on HTTP/1.0 protocol
2) Or Use URL Rewrite module on IIS 7

I followed the later approach and created rewrite rule in web.config for Default website location (C:\inetpub\wwwroot )

<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
</system.webServer>

This rule blocked requests coming on HTTP/1.0 with page cannot be displayed you can modify rule to show error page stating HTTP/1.0 not allowed.

For IIS 6 , there is no way to block the requests for HTTP/1.0 protocol (not even with URL scan) but you can write own ISAPI filter and do the magic.  Smile


PayPal — The safer, easier way to pay online. Has this post helped you? Saved you? If you'd like to show your appreciation. Please buy me a coffee or make a small contribution toward blog's maintenance(to keep it Ads free )

Tags: , ,

IIS 7

Comments (11) -

citigroup
citigroup United States
3/8/2013 8:10:44 PM #

Hi there! I know this is kind of off topic but I was wondering if you knew where I could get a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having difficulty finding one? Thanks a lot!

&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;a href=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;http://capitalistexploits.at/ &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; doug casey,casey research,crisis investing,conversations with casey,capitalism,ayn rand,speculation,capitalism,frontier capitalist series,politics,bank of america,citigroup,bac:nyse,c:nyse,bank stocks,bac:nyse,brad mcfadden,c:nyse,chris mayer,citigroup,us banks,warrants,cambodia,frontier markets, myanmar,gdp growth,frontier markets,gdp growth,japan,myanmar,efficient market hypothesis,stocks,stock market,equity trading,emerging markets,mongolia, mongolian stocks,mongolian bonds,rescap securities,eric zurrin,investing,etf,vix,volatility,shorting stocks,stockmarket,trading ideas,vix,volatility &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;

Reply

Web Design in Rhode Island
Web Design in Rhode Island United States
3/9/2013 7:19:25 AM #

This is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! Keep up the good work.

Reply

DePuy ASR hip recall
DePuy ASR hip recall United States
3/11/2013 2:10:28 AM #

I&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;#39;m in complete agreement with a lot of the information in the following paragraphs.  You certainly are a special article writer have real profit put your own views directly into apparent phrases.  Anyone will be able to understand why.

http://depuy-lawsuit-lawyers.com/

Reply

online test web app
online test web app United States
3/11/2013 3:56:14 AM #

Hello I wish to to share a comment here concerning you to definitely be able to inform you just how much i personally Loved this particular study. I have to elope in order to aTurkey Day time Supper but desired to leave ya an easy comment. We preserved you Same goes with be returning subsequent function to read more of yer quality articles. Keep up the quality work.

http://www.agileload.com

Reply

collection agency
collection agency United States
3/11/2013 12:30:04 PM #

Another very strong and powerful post. I’ve been reading through some of your previous posts and finally decided to drop a comment on this one. I signed up for your newsletter, so please keep up the informative posts!

Reply

steam shower
steam shower United States
3/13/2013 3:22:44 PM #

This is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! Keep up the good work.

Reply

DePuy hip recall attorneys
DePuy hip recall attorneys United States
3/18/2013 4:52:59 AM #

This design is incredible! You most certainly know how to keep a reader entertained. Between your wit and your videos, I was almost moved to start my own blog (well, almost...HaHa!) Great job. I really enjoyed what you had to say, and more than that, how you presented it. Too cool!

Reply

market
market United States
3/21/2013 9:52:02 PM #

Hi there! I know this is kind of off topic but I was wondering if you knew where I could get a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having difficulty finding one? Thanks a lot!

&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;a href=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;http://capitalistexploits.at/ &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;doug casey, casey research, crisis investing, conversations with casey, capitalism, ayn rand, speculation,capitalism,frontier capitalist series,politics,bank of america, citigroup, bac:nyse, c:nyse, bank stocks,bac:nyse,brad mcfadden,c:nyse,chris mayer,citigroup,us banks,warrants,cambodia, frontier markets, myanmar, gdp growth,frontier markets,gdp growth,japan,myanmar,efficient market hypothesis, stocks, stock market, equity trading, emerging markets,mongolia, mongolian stocks, mongolian bonds, rescap securities, eric zurrin,investing,etf, vix, volatility, shorting stocks, stockmarket,trading ideas,vix,volatility&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;

Reply

imported German shepherds
imported German shepherds United States
4/7/2013 9:56:42 PM #

Thanks for any other great article. Where else may anyone get that kind of info in such a perfect method of writing? I have a presentation subsequent week, and I’m at the search for such info.

http://www.banffyhaus.com/

Reply

vhf antenna
vhf antenna United States
4/22/2013 8:09:59 PM #

hello m8  the information on this site is just incredible it keeps me coming back time and time again ,personally i met my wife using this site so i couldnt love it any more i have done my best to promote this site as i feel that others need to see this thang ,thankyou for all the time spent in making this fabulous site ! ok,nice one Billy

antennasystems.com/category/cable-andrew.html

Reply

ghgh
ghgh United States
7/10/2013 11:56:42 PM #

jhjhgjghjghj

Reply

Pingbacks and trackbacks (1)+

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

About me

Hi there,

My name is  Jas and I'm currently working with Microsoft IIS/ASP.Net Escalation services.  Services

 

Tag cloud

Month List

RecentComments

Comment RSS

TextBox

 

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.