For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Server_Team_146's avatar
Server_Team_146
Icon for Nimbostratus rankNimbostratus
Jul 25, 2014

Verify Host Header and request URL match.

I need to verify that the host header associated with the url request matches. example: disgruntled employee wants to wipe out everything on our internal sharepoint. he modifies his host file to say that internal.sharepoint.com = sharepoint.com. Sharepoint, for some reason, only seems to care about the host header, so it sends them to the internal site. he logs in and wipes everything. I have no clue on iRules...any help with this, or any idea how to do it differently would be appreciated. Here's what I have so far, that doesn't work :/

 

when HTTP_REQUEST { if { ([HTTPS::host] equals "test.example.com.com")and ([HTTP::header] equals "test.example.com")} { HTTP::redirect https://test.example.com } }

 

application delivery
cloud
devops
iRules
LTM
management
security
vmware

3 Replies

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Jul 25, 2014

    Host header is one part of "http request", there is no "host" info in a header, then another in the "request".

     

    disgruntled employee can download plugins to firefox or chrome and craft whatever headers or requests he needs, no need to mess with their /etc/hosts. If one can wipe out everything, when they should not have been allowed to, than that a bigger issue you have. Your system needs to securely authenticate people, then apply authorization policies so they access just what the need to access...

     

    Unless I totally misunderstood your question, which happens to me often. Sorry.

     

  • Server_Team_146's avatar
    Server_Team_146
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2014

    Correct. I am misusing the word hostheader. I mean Host. I can manipulate the host to be whatever I want...therefore, I want to make sure that the Host they're requesting is "sharepoint.com" and not anything else...does that make more sense?

     

    re: disgruntled employee. agreed. we don't have a good offloading process and sometimes the team that disables user accounts/access miss one every once in a while. our Sharepoint environment isn't set up ideally. which is why we're trying to address it via f5.

     

    thanks for replying!