On fre, 2008-07-04 at 20:05 +0100, Julian Gilbert wrote: > Thanks for your responses. > > What security problem does rewriting the host value prevent? I'm not sure > what domain hijacking is. At work I currently use ISA Server 2004 and when > it recieves: > > GET http://66.102.9.147/ > HOST www.google.co.uk > > it connects to 66.102.9.147 and sends: > > GET / > HOST www.google.co.uk It's a cache pollution attack. As far as the proxy is concerned the requested URL was http://66.102.9.147/ not www.google.co.uk. This attack allows anyone who can host a web site on the same IP (not uncommon in hosting environments) to set up an attack where the cache of other web sites on that IP gets poisoned with content of their choice simply by requesting GET http://www.example.com/ Host: the.attackers.site The proxy things http://www.example.com was requested, but the web server delivers http://the.attackers.site/ It there is an intercepting proxy things gets even worse as then the attacker can poison any web site as they like, not even restricted by the same IP limitation. > Is this a security risk? The RFCs state that a web server MUST use > http://66.102.9.147/ and ignore www.google.co.uk but as far as I can see a > proxy is not required to ignore www.google.co.uk. Proxies must fulfill both server and client requirements as it acts as a server to the client and as a client to the requested server. See 1.3 Terminology / Proxy. Regards Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
