During my testing, I have seen that redirection misconfiguration of port 80 to port 443 including path entries can cause serious implications. I am taking a simple example of trace.axd. Triggering a google dork as (inurl:trace filetype:axd site:com), results in several targets. Here is an interesting case study.
1. On accessing through browsers, the target results in following information
The response headers are:
(Status-Line) HTTP/1.1 403 Forbidden
Cache-Control private
Content-Type text/html; charset=utf-8
Server Microsoft-IIS/7.5
X-AspNet-Version 2.0.50727
X-Powered-By ASP.NET
Date Wed, 30 May 2012 18:41:24 GMT
Content-Length 2062
The metasploit produces the similar result.
2. This is not an end. Due to inappropriate configuration, the server can be accessed over HTTPS. Really, let's see.
The response headers for this request are
(Status-Line) HTTP/1.1 200 OK
Cache-Control private
Content-Type text/html; charset=utf-8
Content-Encoding gzip
Vary Accept-Encoding
Server Microsoft-IIS/7.5
X-AspNet-Version 2.0.50727
X-Powered-By ASP.NET
Date Wed, 30 May 2012 18:40:59 GMT
Content-Length 1322
In reality, the misconfiguration results in different results. By default, the content should not be allowed over both ports or similar error message should be displayed.
Use metasploit auxiliary module to extract all information or surf directly through browser.
The overall aim is to check all the entry points while doing penetration testing.
Enjoy !
0 comments:
Post a Comment