[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Technical Note by Amit Klein: "XST Strikes Back"
- From: Emilio Casbas <ecasbas@xxxxxxx>
- Subject: Re: [WEB SECURITY] Technical Note by Amit Klein: "XST Strikes Back"
- Date: Thu, 26 Jan 2006 13:06:56 +0100
--------------ms070709070707010505070905
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Amit Klein (AKsecurity) wrote:
>On 25 Jan 2006 at 8:29, Jeremiah Grossman wrote:
>
>
>
>>Impressive and scary, very nice find.
>>
>>
>>
>
>Thanks :-)
>
>
>
>>Couple of questions:
>>
>>Does this affect proxies configured in both forward and reverse mode?
>>
>>
>
>Yes, as far as I tested.
>
>
>
>>What's the best technique to determine if there is a proxy in front?
>>
>>
>>
>
>Well, send it a TRACE request with "Max-Forwards: 0", and see what comes out. This doesn't
>guarantee 100% success, but at the moment (with many proxies still supporting TRACE), it's
>a good (and cheap) shot. There are also telltale signs such as error messages.
>
>
>
Another way to know if there is a proxy in front is to send a malformed
http request, if a reverse proxy
exists returns its owner error message when it fails to parse the
client´s HTTP request,
it will send a header containning something like:
X-Squid-Error: ERR_INVALID_REQ 0
Proxy-Connection: close
Regards,
--
Emilio Casbas
--------------ms070709070707010505070905
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINNTCC
A6swggMUoAMCAQICAQIwDQYJKoZIhvcNAQEEBQAwgY8xCzAJBgNVBAYTAkVTMRAwDgYDVQQI
EwdOYXZhcnJhMREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQgZGUg
TmF2YXJyYTEMMAoGA1UECxMDQ1RJMRAwDgYDVQQDEwdVTkFWLUNBMRowGAYJKoZIhvcNAQkB
FgtjdGlAdW5hdi5lczAeFw0wMDEyMDcxODM0NTlaFw0xMDEyMDUxODM0NTlaMIGSMQswCQYD
VQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoT
FlVuaXZlcnNpZGFkIGRlIE5hdmFycmExDDAKBgNVBAsTA0NUSTETMBEGA1UEAxMKVU5BVi1D
QS0xMTEaMBgGCSqGSIb3DQEJARYLY3RpQHVuYXYuZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMnPtNu0DY74Cy8ADkGWQ+P+o0tADrVZ4Lcp7XrTO/DBsviqY2K90SPnjTq4iaHq
nPR3NtP5NITlgeOriB6Qz0rP2cIyPbvj+omMNcjLNMKwjzN/Xlz/PQHtc7uB475qcRI2Upf0
efcCuZ+2c9Bh8whAR6yBPMZYBOf/CnTOGhiXAgMBAAGjggEQMIIBDDAdBgNVHQ4EFgQU5IiI
QsdSywUHw6MhYN5TwgPUKoIwgbwGA1UdIwSBtDCBsYAULcM6eDF7f4FPgfZNagFP7vaHJMqh
gZWkgZIwgY8xCzAJBgNVBAYTAkVTMRAwDgYDVQQIEwdOYXZhcnJhMREwDwYDVQQHEwhQYW1w
bG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQgZGUgTmF2YXJyYTEMMAoGA1UECxMDQ1RJMRAw
DgYDVQQDEwdVTkFWLUNBMRowGAYJKoZIhvcNAQkBFgtjdGlAdW5hdi5lc4IBADAMBgNVHRME
BTADAQH/MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQEEBQAD
gYEAX1CIwLZPpFS3JvoHEHZ5Ot5NnfQfQP7P8c0obKsenSVSD5ikiif1FTpZV71IhMBA+CIp
I5yGHD2lJhRmU8mxydPc4Duc8Vq5yw5TEtbgFamszQDaloFLKVqgsizZ6ljB0X2N/oGKOr70
BNaayTRZuGaqBRwL9rOtQAPuUVWvvOAwggS/MIIEKKADAgECAgIEqjANBgkqhkiG9w0BAQQF
ADCBkjELMAkGA1UEBhMCRVMxEDAOBgNVBAgTB05hdmFycmExETAPBgNVBAcTCFBhbXBsb25h
MR8wHQYDVQQKExZVbml2ZXJzaWRhZCBkZSBOYXZhcnJhMQwwCgYDVQQLEwNDVEkxEzARBgNV
BAMTClVOQVYtQ0EtMTExGjAYBgkqhkiG9w0BCQEWC2N0aUB1bmF2LmVzMB4XDTA0MTEwNTE1
MjU0MloXDTA2MTEwNTE1MjU0MlowgckxCzAJBgNVBAYTAkVTMRAwDgYDVQQIEwdOYXZhcnJh
MREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQgZGUgTmF2YXJyYTEv
MC0GA1UECxMmQ2VudHJvIGRlIFRlY25vbG9naWEgSW5mb3JtYXRpY2EgLSBDVEkxIzAhBgNV
BAMTGkpvc2UgRW1pbGlvIENhc2JhcyBKaW1lbmV6MR4wHAYJKoZIhvcNAQkBFg9lY2FzYmFz
QHVuYXYuZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJaA+w6VJIE2IW8jVK
ey1kRO3uZ8n7CQ45aN0ZAmHoLcfq15MIg5LIiHcOwU3CKMbDM23ypVAnl2QYbCIwk/URetoi
TBIqd9jr5IiysYeO7yG/qtp39GN+GVVNU2cAyq59fBv4IGjWn7hBqKDjYJ3dgFgqS+1vlep2
afrH99pt0UfccpFEZoM1xYpEgANSDEzKgcPQ1eieqXL8NPWWoUfKOfVLXnwQdY+28arjypR9
BywaEpuf4+wG5DdsKtmLSTyREdQyc7jJHbOz341/5SFyxyqmEn3dyszqQ1QUmeHi6IeriDRD
9+y4pxQKMXLWwhSTbkeinW7pbrh6MWAGBu5zAgMBAAGjggFlMIIBYTAJBgNVHRMEAjAAMBEG
CWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFH24HB2bDmWF/SDfaiHt4fvS8JUuMIG8BgNVHSMEgbQwgbGA
FOSIiELHUssFB8OjIWDeU8ID1CqCoYGVpIGSMIGPMQswCQYDVQQGEwJFUzEQMA4GA1UECBMH
TmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoTFlVuaXZlcnNpZGFkIGRlIE5h
dmFycmExDDAKBgNVBAsTA0NUSTEQMA4GA1UEAxMHVU5BVi1DQTEaMBgGCSqGSIb3DQEJARYL
Y3RpQHVuYXYuZXOCAQIwNQYDVR0fBC4wLDAqoCigJoYkaHR0cHM6Ly9nYW5kYWxmLmN0aS51
bmF2LmVzL3VuYXYuY3JsMA0GCSqGSIb3DQEBBAUAA4GBAGWqEk1nuKGCmWUToaza2R53IC1s
Un0/HrocuJh8Sg/KK1DuHDM7A6Lp4as1ZYOcQDXOiMjc4D/tYElK+3Svk2H5BkUlhQ+FpVKX
6UnJ8wbKHrFNrhzxfvy695TN/pb1Lnx06kzd/Rk8SVbIY3kTvT3lcdvrnshv2smgMl8wiaBB
MIIEvzCCBCigAwIBAgICBKowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkVTMRAwDgYD
VQQIEwdOYXZhcnJhMREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQg
ZGUgTmF2YXJyYTEMMAoGA1UECxMDQ1RJMRMwEQYDVQQDEwpVTkFWLUNBLTExMRowGAYJKoZI
hvcNAQkBFgtjdGlAdW5hdi5lczAeFw0wNDExMDUxNTI1NDJaFw0wNjExMDUxNTI1NDJaMIHJ
MQswCQYDVQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAd
BgNVBAoTFlVuaXZlcnNpZGFkIGRlIE5hdmFycmExLzAtBgNVBAsTJkNlbnRybyBkZSBUZWNu
b2xvZ2lhIEluZm9ybWF0aWNhIC0gQ1RJMSMwIQYDVQQDExpKb3NlIEVtaWxpbyBDYXNiYXMg
SmltZW5lejEeMBwGCSqGSIb3DQEJARYPZWNhc2Jhc0B1bmF2LmVzMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAyWgPsOlSSBNiFvI1SnstZETt7mfJ+wkOOWjdGQJh6C3H6teT
CIOSyIh3DsFNwijGwzNt8qVQJ5dkGGwiMJP1EXraIkwSKnfY6+SIsrGHju8hv6rad/RjfhlV
TVNnAMqufXwb+CBo1p+4Qaig42Cd3YBYKkvtb5Xqdmn6x/fabdFH3HKRRGaDNcWKRIADUgxM
yoHD0NXonqly/DT1lqFHyjn1S158EHWPtvGq48qUfQcsGhKbn+PsBuQ3bCrZi0k8kRHUMnO4
yR2zs9+Nf+UhcscqphJ93crM6kNUFJnh4uiHq4g0Q/fsuKcUCjFy1sIUk25Hop1u6W64ejFg
BgbucwIDAQABo4IBZTCCAWEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR9uBwd
mw5lhf0g32oh7eH70vCVLjCBvAYDVR0jBIG0MIGxgBTkiIhCx1LLBQfDoyFg3lPCA9QqgqGB
laSBkjCBjzELMAkGA1UEBhMCRVMxEDAOBgNVBAgTB05hdmFycmExETAPBgNVBAcTCFBhbXBs
b25hMR8wHQYDVQQKExZVbml2ZXJzaWRhZCBkZSBOYXZhcnJhMQwwCgYDVQQLEwNDVEkxEDAO
BgNVBAMTB1VOQVYtQ0ExGjAYBgkqhkiG9w0BCQEWC2N0aUB1bmF2LmVzggECMDUGA1UdHwQu
MCwwKqAooCaGJGh0dHBzOi8vZ2FuZGFsZi5jdGkudW5hdi5lcy91bmF2LmNybDANBgkqhkiG
9w0BAQQFAAOBgQBlqhJNZ7ihgpllE6Gs2tkedyAtbFJ9Px66HLiYfEoPyitQ7hwzOwOi6eGr
NWWDnEA1zojI3OA/7WBJSvt0r5Nh+QZFJYUPhaVSl+lJyfMGyh6xTa4c8X78uveUzf6W9S58
dOpM3f0ZPElWyGN5E7095XHb657Ib9rJoDJfMImgQTGCA9IwggPOAgEBMIGZMIGSMQswCQYD
VQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoT
FlVuaXZlcnNpZGFkIGRlIE5hdmFycmExDDAKBgNVBAsTA0NUSTETMBEGA1UEAxMKVU5BVi1D
QS0xMTEaMBgGCSqGSIb3DQEJARYLY3RpQHVuYXYuZXMCAgSqMAkGBSsOAwIaBQCgggINMBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA2MDEyNjEyMDY1Nlow
IwYJKoZIhvcNAQkEMRYEFEKtzcShkhoVhIPpTd2IEVUgVLruMFIGCSqGSIb3DQEJDzFFMEMw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIGqBgkrBgEEAYI3EAQxgZwwgZkwgZIxCzAJBgNVBAYTAkVTMRAwDgYD
VQQIEwdOYXZhcnJhMREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQg
ZGUgTmF2YXJyYTEMMAoGA1UECxMDQ1RJMRMwEQYDVQQDEwpVTkFWLUNBLTExMRowGAYJKoZI
hvcNAQkBFgtjdGlAdW5hdi5lcwICBKowgawGCyqGSIb3DQEJEAILMYGcoIGZMIGSMQswCQYD
VQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoT
FlVuaXZlcnNpZGFkIGRlIE5hdmFycmExDDAKBgNVBAsTA0NUSTETMBEGA1UEAxMKVU5BVi1D
QS0xMTEaMBgGCSqGSIb3DQEJARYLY3RpQHVuYXYuZXMCAgSqMA0GCSqGSIb3DQEBAQUABIIB
AJvqiMfjG8m3niyR6jLGMPssQA1LBE0HiKhFVlH7b+TCKYWxExm9ld9U9ELzzAJBVOALjUMi
MLkr1gf1RT33hfPlGbG7YDho7E+E57c7+xOtuAOwH7HZ+EFTCrgTfCal7tnMAeSTQ1PnhlT9
lJ3oEaNPAyliZnJnrg9qEFWRav7jnS6s8UmIyfPZx88kZddR0C+eiZn0oo6gnzRhMoWUWBJs
9WA1TDCYNbFFRcWC6E+01cy/uyky13nhu9dCdl7BGYzUjkVUFqrSDSgX/+BzTqgu1W9nvIt5
dIDXfJPQjMPFpaybWeyJ0pmXOm8AxVqmZYnykRUsTyF203JbASDDxxUAAAAAAAA=
--------------ms070709070707010505070905--
Brought to you by http://www.webappsec.org
Search this site
|