Re: Thanks for the feedback and NAT-hide question

From: Tim (tim-pentest@sentinelchicken.org)
Date: Thu Aug 10 2006 - 19:53:19 EDT


Hi Erin,

> You are performing an external pen-test on a weblogic webserver cluster. The
> route to the host from the outside is Firewall->IPS->DMZ router->load
> balancer->webservers. The router is doing a NAT-hide translation to an
> internal subnet that the load balancers sit on with a VIP for the
> webservers. How do you get around those obstacles in order to get valid
> responses/results and possible find an exploitable hole in Weblogic?
>
> For this scenario I'll let's assume the IP's are:
>
> FW: 256.12.1.11 (yes I know it's not valid)
> IPS: none (inline, possible management interface on 10.1.1.0/24)
> DMZ router: 256.12.1.15 (ACL for allow 80/443. 256.12.1.15 public IP nats to
> various internal IP's. 80/443 traffic routed to LB VIP)
> LB: 10.2.1.12 VIP
> Webservers: 10.2.2.0/24

I don't know much about Weblogic, and I'm not especially experienced
with HA, but I'll throw in my first thoughts on it.

One mistake in the network design appears to be the placement of the
IPS. Wouldn't we normally want that positioned between the load
balancers and the webserver? Presumably the load balancers could
terminate SSL connections and allow the IPS a full view of upper-layer
attacks. So, attacking the web application over SSL is my first choice.

However, if you're still wanting to hit the lower layers, then I would
try find a way to differentiate between requests that are blocked at the
firewall, and ones that are blocked by the IPS. This would then allow
me to probe the policy on the firewall alone, possibly using idle scans
to conduct spoofed scans from more trusted 3rd party servers.

Oh, finally, if the load balancers operate more as reverse HTTP proxies
than lower-layer TCP/SSL accelerators, then I'd look into HTTP request
smuggling as well.

cheers,
tim

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:40 EDT