Has heartbleed a bell? Not man heartbleed; but the pun version of it given as the name of an error, the exploited, the TLS / SSL heart beat function bleed of data from a server vulnerable. If you can not bring back from heartbleed, poodle logjam or dystopian Shellshock hear memories. These are all natural vulnerabilities - bugs with impressive names
Introduction HTTPoxy
Welcome to the list of bugs with impressive names, or rather a welcome return after 15 years - HTTPoxy. the vulnerability HTTPoxy 15 years in 01 before discovered HTTPoxy settings was renamed Although revolves around HTTP requests and malicious proxy. Intended to sound like a disease, the logo of this vulnerability completes the picture.
HTTPoxy has its own website and Twitter feed responsible disclosure of error to ensure (although the branding may well be an attempt to catch always wait a fashion statement!)
understanding HTTPoxy
HTTPoxy is a number of weaknesses, the application code runs in CGI or CGI-like environments influence. The server-side Web applications are the main concerns with HTTPoxy
to quote the official CGI documentation -. The Common Gateway Interface (CGI) is a simple interface for running external programs, software or gateways under an information server in a platform independent manner. Currently, the supported information servers are HTTP servers. The interface was to put it on the World Wide Web (WWW) in use since 1993
in simpler terms, this means that when you use features such as a search engine or support forum on a web server, so these functions need not be written in the web server itself. Using CGI, the Web server requests can be sent to other programs to generate Web content. The results of these programs is then used to create the actual web pages.
Web requests include a number of HTTP headers. These HTTP headers allow to pass information in the form of request and response between a client and a server. If the server can pass the header to another process that will handle the CGI work, it makes life even easier.
HTTPoxy the Code requires under a CGI-like context are executed that recognizes HTTP_PROXY and an HTTP client that trusts this HTTP_PROXY. The HTTP client that HTTP_PROXY variable use as a Web proxy to perform an HTTP request. This is where HTTPoxy vulnerability a namespace conflict than on their website just revealed -
- RFC 3875 (CGI) specifies the HTTP proxy header from a request in the environment variable as HTTP_PROXY
- HTTP_PROXY is 1945001 to configure an outgoing proxy
Can NetScaler act as vaccination against HTTPoxy disease?
In a word, yes!
First HTTPoxy itself does not affect NetScaler! protect
Secondly NetScaler several functions both and block against HTTPoxy has attacks.
Here is how you can protect against this vulnerability NetScaler with:
- drop requests with Proxy header
with to allow responder function in NetScaler requests fall with a simple policy, as shown below:
responder policy httpoxy
"HTTP.REQ Add. header (" proxy "). CONTAINS (" HTTP_PROXY ")" dROP
2. drop proxy header
the Rewrite feature to fall into NetScaler proxy header in a request, as shown below:
Add Rewrite action httpoxy_act delete_http_header proxy
Rewrite policy httpoxPol
"HTTP.REQ.HEADER (" proxy "). CONTAINS ( "add HTTP_PROXY ") "httpoxy_act
3.Block requests with Proxy header
NetScaler AppFirewall, the proxy-based header block with signatures, as shown below:
Protect provides each HTTPoxy NetScaler
NetScaler with its powerful tools effective means to block an attack from the HTTPoxy vulnerability and fall. use the above methods to test your applications.
in addition to the above methods, you can also use NetScaler to switch from HTTP to HTTPS whole environment, ensuring the safety in several different vulnerabilities . Stay safe with complete protection against vulnerabilities with NetScaler.
blog context courtesy of Lena Yarovaya, Director of Technical marketing at Citrix
0 Komentar