[Owasp-singapore] Follow-up from yesterday's meetup

Wong Onn Chee ocwong at usa.net
Sun Aug 16 22:42:27 EDT 2009


Thanks for the detailed instructions, Winston.

But the oversight is by one of our local transport companies.

So if you do know some contacts in there, I can follow up with you on
the actual identity so that they can rectify this oversight before we
disclose their identity.


On 08/17/2009 10:18 AM, Winston.Leong at sg.ey.com wrote:
> It appears that this is a load balancer (a outdated one anyway). I believe
> these are the default and more often than not, appliance company like to
> show off their appliances by using these banners and headers.
>
> These can be disabled with the following instructions (via
> http://kb.juniper.net/index?page=content&id=KB12832&cat=DX_SERIES&actp=LIST) :
>
> You can disable the DX setting the Via and/or Warning  HTTP headers
> respectively with:?
>
>
>   set server factory h v disabled
>
>
>   set server factory h w disabled
>
>
> these are global settings, you can adjust these per cluster too with:
>
>
>   set cluster <cluster name> factory h v disabled
>
>
>   set cluster <cluster name> factory h w disabled
>
>
> The DX adds these as it is acting as a reverse proxy; these headers notify
> clients  they don't talk directly to the server but through a proxy as per
> the HTTP RFC.
>
>
> After disabling these you can use apprules to insert your own Via and/or
> warning header as required e.g.
>
>
> PTH: url starts_with "/" then insert_reply_header "Via" "The long way"
>
>
> You can use apprules to modify headers set by the target server, from your
> output it looks like you are using nitro.apprule or a modified version of
> it.   You can view this default file with 'show file nitro.apprule', within
> are statements that hide the Server header e.g.
>
>
> #PTH20
> PTH: reply_header "Content-Type" contains "plain"
>     and reply_header "Cache-Control" not_contains "no"
>     and reply_header "Cache-Control" not_contains "private"
>     and reply_header "Cache-Control" not_contains "max-age"
>     and reply_header "Pragma" not_contains "no-cache"
>     and reply_header "Expires" not_exists
>     and http_reply_code equals "200"
>     and query_string not_exists
>     then insert_reply_header "Cache-Control" "max-age=600"
>     and update_reply_header "Server" "Concealed by Juniper Networks DX"
>     and cache "600"
>
>
> You can either modify your applied apprule to set the Server header as you
> wish (or preserve it by deleting the relevant line).
>
> Regards, Winston Leong
>                                                                                                       
>  (Embedded image moved   Winston Leong | Technology and Security Risk Services                        
>  to file: pic00527.gif)                                                                               
>                                                                                                       
>                          Ernst & Young Risk Advisory Services Pte. Ltd                                
>                                                                                                       
>                          One Raffles Quay, North Tower, Level 18, Singapore 048583                    
>                                                                                                       
>                          Office: +65 6309 6766 | Fax: +65 6532 7662                                   
>                                                                                                       
>                          Mobile: +65 9028 3600                                                        
>                                                                                                       
>                          Website: www.ey.com                                                          
>                                                                                                       
>                          Thank you for considering the environmental impact of printing emails.       
>                                                                                                       
>
>
>
>
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. We are neither liable for the proper and complete transmission of
> the information contained in this communication nor for any delay in its
> receipt.
>
> Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A).
>
> Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A).
>
> Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
> with UEN 198905395E.
>
> Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
> Singapore with UEN 199702967E.
>
> Ernst & Young Customs & International Trade Services Private Limited is a
> company incorporated in Singapore with UEN 200206660G.
>
>                                                                            
>              Wong Onn Chee                                                 
>              <ocwong at usa.net>                                              
>              Sent by:                                                   To 
>              owasp-singapore-b         security-77 at meetup.com,             
>              ounces at lists.owas         owasp-singapore at lists.owasp.org     
>              p.org                                                      cc 
>                                                                            
>                                                                    Subject 
>              14/08/2009 06:53          [Owasp-singapore] Follow-up from    
>              PM                        yesterday's meetup                  
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>
>
>
>
> For those of you who were there in yesterday's meetup,
>
> Besides the SG govt leak, I also shared how I spotted one of our local
> transport companies did not do a clean job in securing their web site
> information becos they expose the WAF/Firewall that they are using.
>
> Here is the HTTP response for your reference:
>
> HTTP/1.x 200 OK
> Date: Fri, 14 Aug 2009 10:38:03 GMT
> X-Powered-By: ASP.NET
> X-AspNet-Version: 1.1.4322
> Cache-Control: private
> Content-Type: text/html; charset=utf-8
> Server: Concealed by Juniper Networks DX
> Content-Encoding: deflate
> Warning: 214  "Juniper Networks DX Active"
> Vary: Accept-Encoding, User-Agent
> Transfer-Encoding: chunked
> Via: 1.1 dx2 (Juniper Networks Application Acceleration Platform - DX 5.2.6
> 0)
> Set-Cookie: rl-sticky-key=c0a8089b; path=/;
>
> Yes, they have done something good by adding a Juniper WAF in front of
> their web server, but is there really a need to tell the entire world you
> are using Juniper Networks Application Acceleration Platform - DX 5.2.6 0?
> And that you are running ASP.Net version 1.1.4322 too?
> Why changed the Server to "Concealed" at all when everything else is
> leaked?
>
> Lesson: If you want to conceal, please conceal fully. Don't conceal one
> thing and reveal another thing. IS pros should not be playing peekaboo
> games....we don't work in Geylang.
>
> Again, ostrich symptom in play here - thinking that there is nothing more
> to be done after slapping a Juniper in front of your web server.
>
> Maybe we can run the first SG OWASP conference and call it "Ostrich
> Conference"?
> Any seconders? ;-)
>
>
> Regards
> Onn Chee_______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>   



More information about the Owasp-singapore mailing list