[Owasp-singapore] Follow-up from yesterday's meetup

Winston.Leong at sg.ey.com Winston.Leong at sg.ey.com
Sun Aug 16 22:18:57 EDT 2009


It appears that this is a load balancer (a outdated one anyway). I believe
these are the default and more often than not, appliance company like to
show off their appliances by using these banners and headers.

These can be disabled with the following instructions (via
http://kb.juniper.net/index?page=content&id=KB12832&cat=DX_SERIES&actp=LIST) :

You can disable the DX setting the Via and/or Warning  HTTP headers
respectively with:?


  set server factory h v disabled


  set server factory h w disabled


these are global settings, you can adjust these per cluster too with:


  set cluster <cluster name> factory h v disabled


  set cluster <cluster name> factory h w disabled


The DX adds these as it is acting as a reverse proxy; these headers notify
clients  they don't talk directly to the server but through a proxy as per
the HTTP RFC.


After disabling these you can use apprules to insert your own Via and/or
warning header as required e.g.


PTH: url starts_with "/" then insert_reply_header "Via" "The long way"


You can use apprules to modify headers set by the target server, from your
output it looks like you are using nitro.apprule or a modified version of
it.   You can view this default file with 'show file nitro.apprule', within
are statements that hide the Server header e.g.


#PTH20
PTH: reply_header "Content-Type" contains "plain"
    and reply_header "Cache-Control" not_contains "no"
    and reply_header "Cache-Control" not_contains "private"
    and reply_header "Cache-Control" not_contains "max-age"
    and reply_header "Pragma" not_contains "no-cache"
    and reply_header "Expires" not_exists
    and http_reply_code equals "200"
    and query_string not_exists
    then insert_reply_header "Cache-Control" "max-age=600"
    and update_reply_header "Server" "Concealed by Juniper Networks DX"
    and cache "600"


You can either modify your applied apprule to set the Server header as you
wish (or preserve it by deleting the relevant line).

Regards, Winston Leong
                                                                                                      
 (Embedded image moved   Winston Leong | Technology and Security Risk Services                        
 to file: pic00527.gif)                                                                               
                                                                                                      
                         Ernst & Young Risk Advisory Services Pte. Ltd                                
                                                                                                      
                         One Raffles Quay, North Tower, Level 18, Singapore 048583                    
                                                                                                      
                         Office: +65 6309 6766 | Fax: +65 6532 7662                                   
                                                                                                      
                         Mobile: +65 9028 3600                                                        
                                                                                                      
                         Website: www.ey.com                                                          
                                                                                                      
                         Thank you for considering the environmental impact of printing emails.       
                                                                                                      




The information contained in this communication is intended solely for the
use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. We are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.

Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
with UEN 198905395E.

Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
Singapore with UEN 199702967E.

Ernst & Young Customs & International Trade Services Private Limited is a
company incorporated in Singapore with UEN 200206660G.

                                                                           
             Wong Onn Chee                                                 
             <ocwong at usa.net>                                              
             Sent by:                                                   To 
             owasp-singapore-b         security-77 at meetup.com,             
             ounces at lists.owas         owasp-singapore at lists.owasp.org     
             p.org                                                      cc 
                                                                           
                                                                   Subject 
             14/08/2009 06:53          [Owasp-singapore] Follow-up from    
             PM                        yesterday's meetup                  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




For those of you who were there in yesterday's meetup,

Besides the SG govt leak, I also shared how I spotted one of our local
transport companies did not do a clean job in securing their web site
information becos they expose the WAF/Firewall that they are using.

Here is the HTTP response for your reference:

HTTP/1.x 200 OK
Date: Fri, 14 Aug 2009 10:38:03 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Concealed by Juniper Networks DX
Content-Encoding: deflate
Warning: 214  "Juniper Networks DX Active"
Vary: Accept-Encoding, User-Agent
Transfer-Encoding: chunked
Via: 1.1 dx2 (Juniper Networks Application Acceleration Platform - DX 5.2.6
0)
Set-Cookie: rl-sticky-key=c0a8089b; path=/;

Yes, they have done something good by adding a Juniper WAF in front of
their web server, but is there really a need to tell the entire world you
are using Juniper Networks Application Acceleration Platform - DX 5.2.6 0?
And that you are running ASP.Net version 1.1.4322 too?
Why changed the Server to "Concealed" at all when everything else is
leaked?

Lesson: If you want to conceal, please conceal fully. Don't conceal one
thing and reveal another thing. IS pros should not be playing peekaboo
games....we don't work in Geylang.

Again, ostrich symptom in play here - thinking that there is nothing more
to be done after slapping a Juniper in front of your web server.

Maybe we can run the first SG OWASP conference and call it "Ostrich
Conference"?
Any seconders? ;-)


Regards
Onn Chee_______________________________________________
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-singapore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic00527.gif
Type: image/gif
Size: 2521 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090817/8ce89fc6/attachment.gif 


More information about the Owasp-singapore mailing list