Security Basics mailing list archives
Re: Microsoft Urlscan Filter v3.0
From: "J. Oquendo" <sil () infiltrated net>
Date: Fri, 29 Aug 2008 10:33:50 -0500
On Fri, 29 Aug 2008, Jorge L. Vazquez wrote:
one of the thing that urlscan does, is that it protects your web server from been fingerprinted, for example when using network scanners like nmap or nikto to do a server fingerprint, I know for a fact that when urlscan is intalled on the server, nmap fails to fingerprint the server, and also nikto, the one that comes closest to detecting the type of server is httprint, and what it does it takes an educated guess and it gives you the porcentage of how sure it is, and again when urlscan installed httprint says is sure about 50 and 60% which is not good enough, so as you can see it would hurt you to install urlscan, and of course if you don't know what type of server is running on port 80 makes it much difficult to find exploits for something you don't know. you may want to check out this arlticle http://www.pctechtips.org/pentesting_webservers_httprint_nikto_nessus.htm here you can see how nmap fails to properly identify the kind of server running on port 80
Read it verbatim: "UrlScan version 3.0 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server." This tangent on fingerprinting is moot in the sense that a security wizard can deduct what kind of server is running without the use of NMAP, Nessus, etc., I don't know about you, but error pages do tell alot: // BEGIN Server Error in '/Foo' Application. Runtime Error Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine. Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off". <!-- Web.Config Configuration File --> <configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration> // END If someone doing either pentesting or even intruding is not competent enough to determine what kind of server spits out a message like this, they need to go back and RTFM on security. This rambling about "security through obscurity" a-la "oh noehz!!! Better hide servertype is stupid and will only protect against lowly attackers, not a determined structured attack. Even from the lowly attacker, what's to stop even them from running any and all known http exploits against a server anyway? I see it done all the time on my servers, idiots hacking away using IIS exploits against a FreeBSD machine. URLScan is nothing more than a slight of hand. It is potentially possible that it will block known attacks, but let history serve its purpose, how many IDS'/IPS' fell victim to Unicode? There is always going to be a work around for programs like URLScan. So here is an idea for you... Internet --> Apache_as_a_Proxy --> IIS With Apache running say mod_security to filter things out before it hits your IIS server. Now, there is the potential that kiddiots relying on fingerprinting will use Apache exploits against IIS which would fail miserably. See Ivan's ramblings on PCI he has a lot of informative information regarding this. http://blog.ivanristic.com/2008/02/pci-requirement.html http://blog.ivanristic.com/2008/04/pci-council-rel.html Quote: "ModSecurity, an open source intrusion detection and prevention engine for web applications, may be just what organizations need to fulfill PCI DSS compliance obligations without the sticker shock." http://pcianswers.com/2006/09/26/what-is-an-application-firewall/ No matter what you want to throw on a machine, it really boils down to the engineering. I've seen IIS servers which were tighter than a vise grip get compromised. One small fumble and you're hit. // Nutshell URLScan is not a WAF URLScan is a band-aid Tangents on hiding your fingerprint are idiotic -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI "Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny." Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Current thread:
- Microsoft Urlscan Filter v3.0 amatachick (Aug 28)
- Re: Microsoft Urlscan Filter v3.0 Jorge L. Vazquez (Aug 29)
- Re: Microsoft Urlscan Filter v3.0 J. Oquendo (Aug 29)
- Re: Microsoft Urlscan Filter v3.0 Jorge L. Vazquez (Aug 29)