« March 2008 | Main | June 2008 »

2 posts from April 2008


BigIP iRule: Tricking the Vulnerability Scanners

I'll have to post a follow up on this in order to see if my hypothesis was correct but I believe that a large number of vulnerability scanners perform simple HTTP Head requests on a site and mark a site vulnerable to certain things based upon the data returned back by that Head request. The scanners themselves are assuming certain things based upon the Server field in the HTTP Header.

During a recent late-night release while waiting for my turn to do something, I ran through some outstanding audit items and came across a large number of PHP and Perl related vulnerabilities on a good percentage of sites that I support. The trouble is, we don't utilize mod-php or mod-perl--we're a java shop, so seeing php vulnerabilities crop up raised an eyebrow.

The following irule looks for the response header from your web servers and sanitizes it. I know, the more web servers you have, the more likely you are going to want to set up web servers types inside a class. One issue with devcentral on F5 is that iRules seem to assume a certain amount of expertise with Tcl and come on...how many web site administrators not running AOLServer already have that expertise?

if { [HTTP::header "Server"] contains "Apache" } {
HTTP::header replace "Server" "Apache"
} elseif {
[HTTP::header "Server"] contains "IIS"} {
HTTP::header replace "Server" "IIS"

Now you might be wondering why I didn't just set the ServerToken directive in Apache (or whatever it is you need to do in IIS) to mask the OS and web server version from the Server: header. Well, you can, but that would make for a dull post and at some point in the future, you might really want to know what a particular site is running inside your network. This rule would mask it from the Internet while still allowing you to get the information quickly from your desk at work.  Why?  Because your internet users are interacting with the VIP but you are connecting to the real server internally.


....no longer second place....

Well, that didn't take very long. In my never ending war with the quilting, sewing, and related sites, I've fallen, temporarily, into google search result oblivion. A simple google search for 'allsorts and notions' now results in this site showing up, well, somewhere... I gave up looking for it. I'll be back though, once I hatch some other nefarious plot to take back my number two spot.

One question that I have in regards to GoogleAdSense now that I've been doing this for a while is: "What happens when I find an advertisement listed on my own site that actually interests me and I'd like to click it?" Does one wind up violating the Terms of Service? Curse you AdSense for being so darn good in targeting ads!