|
|
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Proxies Behaving Badly Par Node 5Le [2010-04-16] à 20:26:38
Présentation : Working for a municipal government means that we get requests on our webserver for all kinds of information about our city from citizens, businesses, etc. A while ago the bleedingthreats project released a couple of rules to look for unencrypted basic http auth. I went ahead and deployed these rules as we should never have any webapp that takes unencrypted base64 auth and if one was ever deployed I wanted to know about it. As a side effect of deploying these rules, we found that many proxies were sending valid internal proxy authentication credentials to our webservers even though we were not prompting for any sort of auth. These are organizations such as fortune 50 financial institution's, clinical research facilities, a check verification company, a home and auto insurance company, the list goes on and on. I honestly get a couple of these a week. In most cases it is a nightmare to try and get anybody on the phone as most organiztions ARIN contact information is incorrect. I don't know how many companies I called and got a message saying press 0 to talk to an operator only to press 0 and hear the same stupid automated message in a loop. Quite a few of internal authentication credentials i received seemed to be leaked by bluecoat proxies. I contacted the guy's at Fishnet Security as I don't have access to a bluecoat. They only thing they found was a setting that had to be set via command line and according to Jake Reynolds at Fishnet should only be set in very special reverse proxy configurations. The configuration parameter is spoof-authentication, if you are running bluecoat with this option disabled try depolying a snort box to watch it's public facing interface with the following rules to see if your proxy is leaking auth. These are prone to fp's as http is essetianlly statless but should reduce noise for statically served content. It still kills me tha t companies like ciso and oracle still use unencrypted basic http auth sigh .. This is a perfect oppurtunity for you to deploy full content logging in your enterprise, make the Bejtlich proud. alert tcp any HTTP_PORTS - any any msg BLEEDING-EDGE POLICY Basic Auth Challenge from HTTP Server flow established,to_client content HTTP 1. depth 7 nocase content 20401 within 5 content 0d 0aWWW-Authenticate3a 20 nocase flowbits set,httpbasicrequest flowbits noalert classtype policy-violation sid 3000526 rev 8 alert tcp any HTTP_PORTS - any any msg BLEEDING-EDGE POLICY Proxy Auth Challenge from HTTP Server flow established,to_client content HTTP 1. depth 7 nocase content 20407 within 5 content 0d 0aProxy-Authenticate3a 20 nocase flowbits set,httpproxyauthrequest flowbits noalert classtype policy-violation sid 3000527 rev 8 alert tcp HOME_NET any - any HTTP_PORTS msg BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password leaked flow established,to_server content 0d 0aAuthorization3a 20Basic nocase content YW5vbnltb3VzOg within 32 flowbits isnotset,httpbasicrequest flowbits isnotset,httpproxyauthrequest classtype policy-violation sid 3000528 rev 8 alert tcp EXTERNAL_NET any - HOME_NET HTTP_PORTS msg BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password leaked flow established,to_server content 0d 0aAuthorization3a 20Basic nocase content YW5vbnltb3VzOg within 32 flowbits isnotset,httpbasicrequest flowbits isnotset,httpproxyauthrequest classtype policy-violation sid 3000529 rev 4
Les derniers articles du site "Node 5" :
- EMET Glob.. Got 30 seconds I might save you 30 seconds - .
- New Suricata Release 0.8.2
- Hello Interweb
- parsep-extend-range.pl Your friendly neighborhood PCAP parser
- building a swatch config to get the snort msg in a subject line
- A note to Fortune 50 companies
- ADM template for Client side sploits
- In the NL
- Proxies Behaving Badly
- Additional info on proxies behaving badly.
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
