Web Server HTTP Header Internal IP Disclosure

Question

One of my virtual servers returns the vulnerability Web Server HTTP Header Internal IP Disclosure during a Nessus scan. Security is asking me to fix this but I am not sure how. I tried creating a traffic policy that looks for the user agent browser version but it did not work. Can I remediate this using a traffic policy or an irule? Results from the Nessus scan (I replaced internal ip with x):

Nessus was able to exploit the issue using the following request :

GET / HTTP/1.0

Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1

Accept-Language: en

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Pragma: no-cache

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

This produced the following truncated output (limited to 10 lines) :

------------------------------ snip ------------------------------

Location: https://x.x.x.x

Content-Length: 0

Set-Cookie: BIGipServersecuritycode_pool=!eqWzOV3gZ9FYUseX0oXX4p1/qldnSqlypGSckjlKQ4SixTXmSwQJ5JGJA+YkLWE6hOe7moh3oHoh8P8=; path=/; Httponly; Secure

X-FRAME-OPTIONS: SAMEORIGIN

------------------------------ snip ------------------------------

tiziano_rosato · Answer

they are refering to the easily to decode cookie BIGipServersecuritycode_pool , once decode you'll see the pool member IP address.

Easy solution is to encrypt the cookie.

Have a look into this great github page:

https://github.com/dnkolegov/bigipsecurity#persistence-cookie-information-leakage

jmasgalas · Answer

I am using an encrypted cookie. I also tried removing the server agent name from the http profile. Nessus still detects the location IP.

tiziano_rosato · Answer

if the problem is the Location header that expose an IP address you can try with a simple irule that will rewrite the Location, for example:

when HTTP_RESPONSE {

if { [HTTP::header is_redirect]} {

HTTP::header replace Location [string map -nocase {1.1.1.1 www.something.com} [HTTP::header value Location]]

}

But you can implement something similar using an LTM policy.

jmasgalas · Answer

Thanks for the reply. I did create the irule but Nessus is still detecting the same vulnerability. This is frustrating to say the least.

Here is my irule:

when HTTP_RESPONSE {

if { [HTTP::header is_redirect]} {

HTTP::header replace Location [string map -nocase {1.1.1.1 securitycode.summithealth.org} [HTTP::header value Location]]

}

I then tried something similar using a policy:

http header named Content-Location contains any of x.x.x.x at response time.

Replace http header named Content-Location with value securitycode.summithealth.org at response time.

Still not resolved.

jmasgalas · Answer

I was able to work around this by implementing the below irule but then the application breaks. Anyone have any ideas on how to remediate the vulnerability but keep the web site working?

when HTTP_RESPONSE {

if { [HTTP::header is_redirect]} {

HTTP::header replace Location \

[string map -nocase "https://x.x.x.x/vipssp/ https://securitycode.summithealth.org/vipssp/" [HTTP::header value Location]]

}

Forum Discussion

Web Server HTTP Header Internal IP Disclosure

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

2 internal server vlans

F5 Releases Out of Band Disclosure in Conjunction With Rapid7

After applied ASM Policy to Virtual Server, connections will reset with Internal error in log

Use BIG-IP LTM Virtual Server & iRule for an internal "What's My IP" website

ADFS WAP servers failed to establish trust with ADFS 2019 servers using internal vip