How to prevent Malicious HTTP Redirections on an Exchange server
Hello All! I am attempting to assist a customer who is trying to pass PCI scans. By default, their IP addresses redirects any HTTPS (443) requests to the Exchange server's OWA. This is fine, except the scan states that the server does not pass a couple of vulnerabilities, one of them being "Redirection via Arbitrary Host Header Manipulation". As a solution, they recommended whitelisting domains, only allow permitted domains to be included in the Host header. I (for the life of me) cannot figure out how to get this to work on a server who's default website is the Exchange OWA. Every time I try to implement a rule in IIS (see: https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958) that would redirect any requests that don't match the supplied string to the desired domain name, the page won't load and I get "ERR_TOO_MANY_REDIRECTS" presumably because of Exchange's automatic OWA redirection. Is there a way I can prevent malicious HTTP redirections without breaking OWA? To clarify: there are two domain names on our DNS that lead to the IP address of the Exchange server: mail.domain.com and vpn.otherdomain.com, obviously one is meant for mail and the other one is meant for vpn access over port 8443. The main domain (domain.com) leads to a completely different IP address that hosts their public website. I would like to change the IIS settings on the Exchange server so that mail.domain.com is the only domain allowed to be requested through an HTTP request.using IIS URL Rewrite module for HTTP to HTTPS
I have installed the URL Rewrite module in IIS 10 to redirect HTTP calls to HTTPS, and I have attempted to set up the redirect but have not gotten it working on one server. Here is the issue: Server1 with IP 1.1.1.1 is running IIS with an https enabled website. An outside DNS has assigned gohere.com to IP 1.1.1.1. When users attempt to get to http://gohere.com the connection times out and it is not redirected to https://gohere.com Accessing https://gohere.com works without an issue. Here is the rewrite code from the web.config file. <rewrite> <rules> <rule name="HTTP to HTTPS" patternSyntax="Wildcard" stopProcessing="true"> <match url="http://gohere.com*" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://gohere.com" appendQueryString="false" /> </rule> </rules> </rewrite> I have also tried using match url=".*" Any ideas on what might be causing the issue? Or something to try to get it working? Thanks! Jim
Logging API HTTPS URIs
Hello I run a local Java applet which opens a SunAwtFrame window and I click a button there to download a csv. I want to see the URI of this download as it should be a permanent link as part of an API. The problem is that it is under HTTPS, certificates and perhaps via localhost. Is there a way to get that URI? Thanks!
IIS 10: how to enable both HTTPS+HTTP bindings on one site to access the site from internet or local
Hi, I run an IIS web site having HTTPS binding for host name = "opendata.sperling.cz " at port 443. It is accesible from internet, as the name is revorderd in DNS and tehre is a rule in our router's firewall to reach the site. This is fine. What I would like achieve is to be able to acces the site from local network or even localhost using HTTP port. I have added a binding without any host name using port 91, but it doesnot work. I have tried to access it via http://localhost:91/ or http://192.168.10.20:91/, but non of it worked. It always redirected to https://localhost and disaplayed an SSL error, as the HTTPS host name does not match the entered. What is wrong? Is it even possible? Thanks. Milan
