(http://theITspecialist.co.uk) - Graham Hosking

Sunday, 28 July 2013

Obfuscating HTTP header using Netscaler

I've got a yearly penetration test coming up and yes it sounds painful but there's ways we can make things a lot more difficult for the testers and hackers a like!

One of the ways people will try to hack your system is to look for vulnerabilities in your web facing servers, if they know what you're running in the background they can similarly lookup these vulnerabilities (exploits) on numinous websites. http://www.exploit-db.com/

For example:

We can use http://web-sniffer.net/ to query website headers that will show the server in the background.

We can see that this website is running Microsoft-IIS/7.0

We could then lookup the vulnerability and use exploits to get into the system - easy.
To make this harder lets setup a way to mask (Obfuscate) the information that's held in the HTTP headers.

On the Citrix Netscaler we can setup a "Rewrite" function that will rename the aspects of Server and Powered-By (ASP.NET for example).

1. Setup a Rewrite Action:

The Expression looks for a response header of "server"
The expression for replacement text we can set to whatever we like! Eg: "Web Server 1.1"

Example:  Server = Microsoft IIS7.0  replace with = Web Server 1.1

We can so this same with other headers such as the X-Powered-By:
Example: X-Powered-By = ASP.NET replace with = "Magic"

2. Now we have an Action, we need to bind it to a policy to action it!

Create a Action:
We'll also create another policy for the X-Powered in the same way.
3. We now need to bind the policy to each Virtual Server on the Netscaler, that we want this to work on.

Open a Load Balencing Vserver, Properties:
Navigate to -> Policies (TAB) -> Rewrite (RESPONSE) on the drop down.

Client Insert Policy and choose the pol_obsure-server and X-Powered

** On the GoTo Expression - ensure you have NEXT selected or the X-Powered policy will not take effect!**

Save it! -> Okay and save running Config

The Test!

Now let jump back to the http://web-sniffer.net/ and see if our Obfuscating works!?

Yep it looks like this has worked! We can't tell now what backend server we have running or what platform we're connecting to.

This makes it much harder for people trying to attack or deface your website, so from a security standpoint this should be your first line of defense. The same goes with Exchange, you can obfuscate the server names and internal address to do the same thing, but only using Exchange. Note that this can't be performed on the Netscaler as it will only perform the rewrite/responder capabilities with HTTP or SSL Vservers. 

Now - Have some fun and see that kind of things are in your headers, and what you can block.

Good Luck