Conversation
Updated version.
Tweaked false positives
Added test for Magnolia administrative interface
…hich needs to be done better).
Typo3 superadmin
Fix plugin id
Added variables for TYPO3
During recent tests, we've noticed that some WAFs or load balancers block requests which have the port specified on the Host header. Example: `Host: targetsite.com:443` This change modifies the Host header to remove the port part.
|
According to RFC 2068 which defines the Host header, it's appropriate to have a port in the Host header field: Host = "Host" ":" host [ ":" port ] And further A "host" without any trailing port information implies the default port for the service requested (e.g., "80" for an HTTP URL). So I think if a WAF/LB is blocking requests with a port it's violating the RFC. That said, it doesn't surprise me. I did some testing with browsers the default port is not included, but anything else (e.g., example.com:8080) will include the port in the header. So this change will probably break anything not on 80/443. Best solution will be to modify LibWhisker (where I think it's set) and not add it for default port/scheme combinations. |
|
Hi sullo, Thanks for the feedback. |
|
I looked in LibWhisker and see the code that adds the host header doesn't if it's http/80 or https/443. I did some testing in burp and don't see Nikto sending it. Do you have a capture (output with -D D perahps) which shows this behavior? |
|
Sure, check this out: Notice the Host header outside Whisker. That's the one being used as the VHOST. |
|
I've committed a change in place of this, which corrects a logic error in LibWhisker which was causing the port to be incorrectly added when the port was 443 and it was SSL, so I'm going to close this one umerged. Thanks for bringing this to our attention! |
|
No problem, glad to contribute |
|
Hi, and thanks for this fix. I had noticed the same some weeks ago and was happy to find a solution for this in here. |
During recent tests, we've noticed that some WAFs or load balancers block requests which have the port specified on the Host header. Example:
Host: targetsite.com:443This change modifies the Host header to remove the port part.