Forum Discussion
jmasgalas
Nimbostratus
NimbostratusWeb Server HTTP Header Internal IP Disclosure
One of my virtual servers returns the vulnerability Web Server HTTP Header Internal IP Disclosure during a Nessus scan. Security is asking me to fix this but I am not sure how. I tried creating a traffic policy that looks for the user agent browser version but it did not work. Can I remediate this using a traffic policy or an irule? Results from the Nessus scan (I replaced internal ip with x):
Nessus was able to exploit the issue using the following request :
GET / HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
This produced the following truncated output (limited to 10 lines) :
------------------------------ snip ------------------------------
Location: https://x.x.x.x
Content-Length: 0
Set-Cookie: BIGipServersecuritycode_pool=!eqWzOV3gZ9FYUseX0oXX4p1/qldnSqlypGSckjlKQ4SixTXmSwQJ5JGJA+YkLWE6hOe7moh3oHoh8P8=; path=/; Httponly; Secure
X-FRAME-OPTIONS: SAMEORIGIN
------------------------------ snip ------------------------------
- tiziano_rosato
Cirrus
they are refering to the easily to decode cookie BIGipServersecuritycode_pool , once decode you'll see the pool member IP address.
Easy solution is to encrypt the cookie.
Have a look into this great github page:
https://github.com/dnkolegov/bigipsecurity#persistence-cookie-information-leakage
jmasgalasI am using an encrypted cookie. I also tried removing the server agent name from the http profile. Nessus still detects the location IP.
- tiziano_rosato
if the problem is the Location header that expose an IP address you can try with a simple irule that will rewrite the Location, for example:
when HTTP_RESPONSE {
if { [HTTP::header is_redirect]} {
HTTP::header replace Location [string map -nocase {1.1.1.1 www.something.com} [HTTP::header value Location]]
}
}
But you can implement something similar using an LTM policy.
- jmasgalas
Thanks for the reply. I did create the irule but Nessus is still detecting the same vulnerability. This is frustrating to say the least.
Here is my irule:
when HTTP_RESPONSE {
if { [HTTP::header is_redirect]} {
HTTP::header replace Location [string map -nocase {1.1.1.1 securitycode.summithealth.org} [HTTP::header value Location]]
}
}
I then tried something similar using a policy:
http header named Content-Location contains any of x.x.x.x at response time.
Replace http header named Content-Location with value securitycode.summithealth.org at response time.
Still not resolved.
- jmasgalas
I was able to work around this by implementing the below irule but then the application breaks. Anyone have any ideas on how to remediate the vulnerability but keep the web site working?
when HTTP_RESPONSE {
if { [HTTP::header is_redirect]} {
HTTP::header replace Location \
[string map -nocase "https://x.x.x.x/vipssp/ https://securitycode.summithealth.org/vipssp/" [HTTP::header value Location]]
}
}
