[Owasp-singapore] Follow-up from yesterday's meetup

Wong Onn Chee ocwong at usa.net
Fri Aug 14 06:53:02 EDT 2009


For those of you who were there in yesterday's meetup,

Besides the SG govt leak, I also shared how I spotted one of our local
transport companies did not do a clean job in securing their web site
information becos they expose the WAF/Firewall that they are using.

Here is the HTTP response for your reference:

HTTP/1.x 200 OK
Date: Fri, 14 Aug 2009 10:38:03 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Concealed by Juniper Networks DX
Content-Encoding: deflate
Warning: 214  "Juniper Networks DX Active"
Vary: Accept-Encoding, User-Agent
Transfer-Encoding: chunked
Via: 1.1 dx2 (Juniper Networks Application Acceleration Platform - DX
5.2.6 0)
Set-Cookie: rl-sticky-key=c0a8089b; path=/;

Yes, they have done something good by adding a Juniper WAF in front of
their web server, but is there really a need to tell the entire world
you are using Juniper Networks Application Acceleration Platform - DX
5.2.6 0?
And that you are running ASP.Net version 1.1.4322 too?
Why changed the Server to "Concealed" at all when everything else is leaked?

*Lesson*: If you want to conceal, please conceal fully. Don't conceal
one thing and reveal another thing. IS pros should not be playing
peekaboo games....we don't work in Geylang.

Again, ostrich symptom in play here - thinking that there is nothing
more to be done after slapping a Juniper in front of your web server.

Maybe we can run the first SG OWASP conference and call it "Ostrich
Conference"?
Any seconders? ;-)


Regards
Onn Chee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090814/08fe247e/attachment.html 


More information about the Owasp-singapore mailing list