RE: reverse proxy identification

To:	"'sami ghourabi'" <sami.ghourabi@icn.com.tn>, <pen-test@securityfocus.com>
Subject:	RE: reverse proxy identification
From:	"Paul Melson" <pmelson@gmail.com>
Date:	Mon, 15 Jan 2007 11:55:54 -0500
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:references:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:in-reply-to:x-mimeole:thread-index; b=deFPsf3lAbzb5qtrVeN0fqtphz8dyghl2BbD+ajbEvHH1Bu4/BX/a0Oak/cW04qGtdvOctkm0C99dXrqKMZ308Kt8It6Mg/w/oUS8XUX0z8hEBhDAQ/bbp2W0lS8bfSUD1HkciPDTCmP1+yOa2Sa0u4UAxGVDrWYhDrbsfsIYWY=
In-reply-to:	<45A77155.4080505@icn.com.tn>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<45A77155.4080505@icn.com.tn>
Resent-date:	Mon, 15 Jan 2007 15:42:29 -0700 (MST)
Resent-from:	pen-test-return-1078483394@securityfocus.com
Resent-message-id:	<20070115224229.8DB27238695@outgoing3.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com
Thread-index:	Acc3QQ/AOLeSiPWYS0aB8mGfMap+rABguFqg

-----Original Message-----
Subject: reverse proxy identification

> When I browse to the IPs with firefox, I recieve several messages "No web
site is configured at this 
> address." for some IP.
> Does anybody here know if this message is specific to a given reverse
proxy/web server product ?

That's an IIS message.

For evidence of a reverse proxy - particularly one that's doing app
firewalling - look for it to block stuff that's attack-like.  For instance:

Request: /sexpistols.asp?track=god%20save%20the%20queen
Response: 200

Request: /sexpostols.asp?track=anarchy/../in/../the/../uk
Response: 302, 404, or some other response that suggests the app never saw
your request

If you're using Nessus, recent versions will often report the presence of
urlscan when a web app 'firewall' is in front of the actual web server.

PaulM



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
reverse proxy identification, sami ghourabi Re: reverse proxy identification, Andy Ashley RE: reverse proxy identification, Paul Melson <= Re: reverse proxy identification, AdamT Message not available Message not available Re: reverse proxy identification, Olivier Meyer Re: reverse proxy identification, R. DuFresne Re: reverse proxy identification, Javier Fernández-Sanguino Re: reverse proxy identification, Faisal Khan Re: reverse proxy identification, sami.ghourabi

Previous by Date:	SV: Community Rainbow Tables downloading, Per Thorsheim
Next by Date:	RE: Mile2 Training (Certifications), Renee Peters
Previous by Thread:	Re: reverse proxy identification, Andy Ashley
Next by Thread:	Re: reverse proxy identification, AdamT
Indexes:	[Date] [Thread] [Top] [All Lists]