[WEB SECURITY] HTTP error codes blocking

Suzio, Michael (ISS Southfield) MSuzio at iss.net
Mon Aug 15 14:30:11 EDT 2005 

So, the problem is with ErrorDocument you can specify the returned
content, but not the returned status code.  It looks like even if I do
something like this:
 
ErrorDocument 404 /pages/found.html
 
I still get a 404 status code in the header (even though now I am going
to get some "valid" content).  Which points out your problem I guess.
 
Additionally, looking at the docs (at least for Apache 2.0) [
http://httpd.apache.org/docs/2.0/mod/core.html#errordocument ] we can
see this note:
 
"Although most error messages can be overriden, there are certain
circumstances where the internal messages are used regardless of the
setting of ErrorDocument
<http://httpd.apache.org/docs/2.0/mod/core.html#errordocument> . In
particular, if a malformed request is detected, normal request
processing will be immediately halted and the internal error message
returned. This is necessary to guard against security problems caused by
bad requests."
 
So ErrorDocument might not even be catching the things you want to guard
against!
 
Your ErrorDocument's can be CGI scripts, of course.  See
http://httpd.apache.org/docs/2.0/custom-error.html to see the headers
that would get passed into the script to help in crafting appropriate
dynamic responses.  I *think* this might let you rewrite the headers,
although I don't have the time just now to whip up an example and give
that a try.  Doing this, you might be able to map all the behaviors of
interest into a single generic response that would fool attackers.
 
Another option is some sort of proxy in front of the web server maybe
(that catches stuff ErrorDocument will not handle, as shown above).  Oh,
and make it an Apache proxy so you don't introduce those darn
vulnerabilities where Proxy + Server have different behaviors for "bad"
requests :-).  Anyway, a rewriting proxy could probably do what you want
-- intercept the status code of interest and "fix" them.
 
This may very well be a fool's errand, however - too easy to miss
something that still gives away the actual server you are running.  I'd
be leery of breaking "correct" behavior too.  But if you can figure it
out, I'm sure we'd all be interested in hearing about it.

	-----Original Message-----
	From: joe shmoe [mailto:joeshmoepeter at yahoo.co.in] 
	Sent: Monday, August 15, 2005 2:01 PM
	To: Paul Schmehl; websecurity at webappsec.org
	Subject: Re: [WEB SECURITY] HTTP error codes blocking
	
	
	I am indeed using the apache's errorDocument feature. The
subject I was trying to solicit comments on was this:
	(i) I want to customize not just the content of the error page
thrown to the user ("Dear user, foobar"), but the entire HTTP message --
pls note that the focus here is to defend against/confuse attackers and
scanners. What kind of status codes can I configure for specific errors
such that the attacker cannot fingerprint my server to be apache, IIS
etc. 
	 
	Each of these servers return different error codes for different
kind of malformed requests. For ex: For GET HTTP/3.0, Apache returns 400
Bad Request, IIS returns 200 OK and Netscape returns 505 Version not
supported. How can I prevent such fingerprinting?
	 
	As an aside, can I configure the *headers and response codes* in
Apache via the errorDocument or some other utility? As I mentioned
above, its not just the body that I want to customize, but the entire
status line as well as the headers. Do the commercial webservers provide
such functionality?
	 
	Thanks!
	Joseph
	
	Paul Schmehl <pauls at utdallas.edu> wrote:

		My thoughts exactly. Why reinvent the wheel?
		
		--On Friday, August 12, 2005 21:40:39 +0200 Dusan Juhas 
		wrote:
		
		>
http://httpd.apache.org/docs/2.0/mod/core.html#errordocument
		>
		> < Hello,
		> < Could anyone englighten on the best way to block
HTTP error codes to
		> avoid < potential fingerprinting by an attacker?
		> <
		> < Would I breaking the protocol if I send a 200 OK
with a blank page
		> instead of < say 404? What is the industry standard?
Or the approach
		> followed by smart < sysadmins?
		>
		>
---------------------------------------------------------------------
		> The Web Security Mailing List
		> http://www.webappsec.org/lists/websecurity/
		>
		> The Web Security Mailing List Archives
		> http://www.webappsec.org/lists/websecurity/archive/
		>
		
		
		
		Paul Schmehl (pauls at utdallas.edu)
		Adjunct Information Security Officer
		University of Texas at Dallas
		AVIEN Founding Member
		http://www.utdallas.edu/ir/security/
		
	
---------------------------------------------------------------------
		The Web Security Mailing List
		http://www.webappsec.org/lists/websecurity/
		
		The Web Security Mailing List Archives
		http://www.webappsec.org/lists/websecurity/archive/
		
		

	
  _____  

	Check out Yahoo! India Rakhi Special for Rakhi shopping,
contests and lots more. 
	http://in.promos.yahoo.com/rakhi/index.html 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050815/9e148d50/attachment.html>

More information about the websecurity mailing list