3

I have Salesforce application which is using my web application hosted in one of our customer's server (IIS 8.0).

BURP Scan has identified one issue in my web application. Issue is something like this.

Severity: High

Confidence: Certain

Host: https://test.customerserver.com

Path: /customerwebapplication

Issue detail

It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response.

The payload xxxxxxxx.burpcollaborator.net was submitted in the SSL SNI value and the HTTP Host header.

The application performed an HTTPS request to the specified domain. The response from that request was then included in the application's own response.

Vulnerability classifications

•CWE-610: Externally Controlled Reference to a Resource in Another Sphere

•CWE-918: Server-Side Request Forgery (SSRF)

My web application is hosted in iis 8.0. So, is there any way to prevent "host" header to be different than the originial server. I am not expert in IIS configuration. So, not sure if there is any configuration for that in IIS.

Any input to fix this issue?

again
  • 974
  • 8
  • 23
rakesh
  • 31
  • 1
  • 4
  • Who is making the request? Your application or IIS? – Demi Feb 21 '18 at 16:06
  • 1
    @Demi - If http_host is specified in the http get request then IIS will do the redirect to domain specified in http_host. In real field, my salesforce application will do the post request to my web application. I am thinking to use the URL Rewrite to prevent the invalid http request. Any thoughts on URL Rewrite? – rakesh Feb 23 '18 at 04:52
  • that sounds like an IIS misconfiguration to me. The incoming request should not be able to influence that variable. – Demi Feb 23 '18 at 04:53
  • @rakesh, did you got any solution for this issue? – K D Oct 31 '19 at 08:54

0 Answers0