Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

IIS8 Internal IP Address Disclosed in HTTP Headers

Posted on 2016-11-10
21
Medium Priority
?
2,067 Views
Last Modified: 2016-11-30
Hi

Recently a site hosted on an IIS8 server failed a pen test with Internal IP Address Disclosed in HTTP Headers.

I have found loads of ways to sort in iis7 and earlier but not in iis8.

Please help.

thanks
0
Comment
Question by:timb551
  • 11
  • 9
21 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 41883290
Fairly common vulnerability.  You can go into the features view in IIS and find HTTP Response headers.  Double click and then right click and remove  https://imgalib.wordpress.com/tag/ssl-certificate-vulnerability/   look about half way down
1
 

Author Comment

by:timb551
ID: 41883422
I dont have anything listed in HTTP Response headers.
0
 

Author Comment

by:timb551
ID: 41883433
Also it is turned off in my web.config

<httpRuntime targetFramework="4.5" maxRequestLength="1048576" enableVersionHeader="false" encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral/>
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41883464
What Response Header are you concerned about?  Name?

There are several Response Headers that leak info in default IIS installation.  Some can be addressed in the web applications config and some can be globally addressed in the server scope configuration of IIS.

What does your web infrastructure look like?
1. an IIS Server sitting behind a firewall with setup with a public IP (no NAT)
2. an IIS Server sitting behind a firewall with a private IP (firewall doing NAT)
3. an IIS Server sitting behind a firewall with a load balancer (using a public IP) (no NAT)
4. an IIS Server sitting behind a firewall with a load balancer (using a private IP) (firewall doing NAT)

I ask because in these scenarios, the leak may not necessary be coming from IIS.  There may be other device in front of your server that could be adding response headers to the outgoing http replay.  You may have to address these other devices as well.

Dan
0
 

Author Comment

by:timb551
ID: 41883467
HI Dan

The site is behind a firewall and nat'd.

Its leaking the Internal IP Address of the server.

Thanks

Tim
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41883472
What is the name of the response header?  It would be helpful to know the name of the actual header.

What brand of firewall are you using?

Dan
0
 

Author Comment

by:timb551
ID: 41883483
We are using a Watchguard XTM.

The only information i have got is from the Pen Test company which is.

1.png
thanks
0
 
LVL 29

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 41883503
I'm not sure this is coming from IIS, since the IIS server is behind a device doing NAT.

You can use the URL Rewrite feature in IIS to modify response headers.  Here is a link for that:  https://forums.iis.net/t/1223436.aspx?Remove+Location+header+from+http+response

But I believe this is most likely coming from your firewall.  You can view the HTTP Response Header that the firewall is adding and from there you should be able to manage the location header.

Reference Link:  http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/proxies/http/http_responses_header_flds_c.html

Dan
0
 

Author Comment

by:timb551
ID: 41883517
Thanks Dan.  could it still be the firewall even though its reporting the IIS servers local address?

thanks
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41883531
If you directly hit the IIS Server, I believe you will not see the location response header.  You can verify this by using a developer tool plugin/extension on your browser.  For example, in FireFox, I open the Developer tools and view the conversation between the browser and the server.  Here you can see the raw info being passed back and forth.  You can also do this in either IE/Edge and Chrome.

When I directly hit the various IIS server I manage, I do not see a location header.

I suggest you test hitting the server directly and check for the presence of the location response header.  If it exists on a direct hit (not going thru your firewall NAT)  then you can remove it with URL Rewrite.

If the response header is not present, then the firewall is adding the header to the outbound http reply.  You will need to modify what the firewall is doing in this situation.

Dan
0
 

Author Comment

by:timb551
ID: 41883898
Ok thanks Dan thats great, i will investigate further and report back.
0
 

Author Comment

by:timb551
ID: 41886372
Do you see an issue it turning off HTTP 1.0?
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41886465
Can you explain a little more about where you intend to "turn off HTTP 1.0?"

Dan
0
 

Author Comment

by:timb551
ID: 41886468
Putting the following into web.config

<rewrite>
    <rules>
        <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
            <match url="*" />
            <conditions>
                <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
            </conditions>
            <action type="AbortRequest" />
        </rule>
    </rules>
</rewrite>
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41886477
You can certainly do that, but I can not think of any reason to block HTTP/1.0.  It isn't really a security issue, so would you want to implement a block.

I run many IIS Server instances across 4 environments (DEV, QA, Staging, PROD) and do not block HTTP/1.0 requests anywhere.

Dan
0
 

Author Comment

by:timb551
ID: 41886502
Im just assuming that blocking http 1.0 would stop the reporting of the internal ip?
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41886608
Not really.  Have you tested hitting the site internally and then externally to compare the response headers?

I believe the header is being added by the device doing the NAT.

Dan
0
 

Author Comment

by:timb551
ID: 41886633
I have tested internally and externally and i cannot see where its referencing the internal ip.

I might need to get some more information if possible from the pen test company.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41886709
The location is response header inserted into the http reply to the browser.  You need to view the raw http data to see it.   as I mentioned before, browser Dev tools will let you view this info.

Also, a device doing reverse proxying r NAT can be inserting the header because its acting as an intermediary for the destination resource.

Reference link for the "Location" response header: https://en.wikipedia.org/wiki/HTTP_location

Dan
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41901333
Have you been able to resolve the issue?  Is that any additional info?

Dan
0
 

Author Closing Comment

by:timb551
ID: 41907419
Looks like it was the WatchGuard so details removed in HTTP proxy.

thanks Dan.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question