BigIP iRule: Tricking the Vulnerability Scanners
I'll have to post a follow up on this in order to see if my hypothesis was correct but I believe that a large number of vulnerability scanners perform simple HTTP Head requests on a site and mark a site vulnerable to certain things based upon the data returned back by that Head request. The scanners themselves are assuming certain things based upon the Server field in the HTTP Header.
During a recent late-night release while waiting for my turn to do something, I ran through some outstanding audit items and came across a large number of PHP and Perl related vulnerabilities on a good percentage of sites that I support. The trouble is, we don't utilize mod-php or mod-perl--we're a java shop, so seeing php vulnerabilities crop up raised an eyebrow.
The following irule looks for the response header from your web servers and sanitizes it. I know, the more web servers you have, the more likely you are going to want to set up web servers types inside a class. One issue with devcentral on F5 is that iRules seem to assume a certain amount of expertise with Tcl and come on...how many web site administrators not running AOLServer already have that expertise?
when HTTP_RESPONSE {
if { [HTTP::header "Server"] contains "Apache" } {
HTTP::header replace "Server" "Apache"
} elseif {
[HTTP::header "Server"] contains "IIS"} {
HTTP::header replace "Server" "IIS"
}
}
Now you might be wondering why I didn't just set the ServerToken directive in Apache (or whatever it is you need to do in IIS) to mask the OS and web server version from the Server: header. Well, you can, but that would make for a dull post and at some point in the future, you might really want to know what a particular site is running inside your network. This rule would mask it from the Internet while still allowing you to get the information quickly from your desk at work. Why? Because your internet users are interacting with the VIP but you are connecting to the real server internally.
