Hello,
we are still doing some security testing on the Powershell Universal.
My colleague experienced some strange behavior. The HSTS header is set correctly but if we provoke HTTP 400 or 500 with spoofing faked values in the http requests we get HTTP answers without HSTS-Header. Is this the desired configuration or is just something missing within the kestrel webservice?
Thanks a lot!
Product: PowerShell Universal
Version: 3.7.11
Can you double check that it’s not running against localhost? It seems like kestrel does not send the HSTS headers when communicating over localhost.
We will double check next week.
Right now here some details about the faked/spoofed requests:
HTTP 400
GET /dashboardhub?dashboardid=1&id=123456 HTTP/1.1
Host: xyz.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-Websocket-Version: 13
Origin: https://xyz.com
Sec-Websocket-Key: 55555555555
Connection: keep-alive, Upgrade
Cookie: .AspNetCore.Antiforgery.123456; .AspNetCore.Session=123456; .AspNetCore.Cookies=123456
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
HTTP 400 Answer:
HTTP/1.1 400 Bad Request
Content-Length: 0
Connection: close
Date: Wed, 24 May 2023 10:16:20 GMT
Server: Kestrel
HTTP 500
GET /xyz/home HTTP/2
Host: xyz.com
Cookie: .AspNetCore.Antiforgery.123456; RequestVerificationToken=123456; .AspNetCore.Session=123456
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@65465412kjhkahsd.oastify.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Cache-Control: no-transform
X-Forwarded-For: spoofed.o5u02424234st324234dq1f.oastify.com
Forwarded: for=spoofed.j5u02424234st3242347xw.oastify.com;by=spoofed.j1lv5u02424234st324234h97xw.oastify.com;host=spoofed.j15u02424234st32423497xw.oastify.com
Client-Ip: spoofed.g95u02424234st3242346gu5.oastify.com
Cf-Connecting_ip: spoofed.alzm5u02424234st32423410toi.oastify.com
X-Real-Ip: spoofed.g5u02424234st3242346du2.oastify.com
X-Client-Ip: spoofed.7rz5u02424234st324234x2lr.oastify.com
Referer: http://u5u02424234st324234ptkp8e.oastify.com/ref
Contact: root@65465412kjhkahsd.oastify.com
X-Originating-Ip: spoofed.nh8zdnq4szpct2h9jvjr513rrixdv1k.oastify.com
From: root@g2424234st324234put.oastify.com
True-Client-Ip: spoofed.2424234st324234ptmi.oastify.com
X-Wap-Profile: http://98f2424234st324234p4e.oastify.com/wap.xml
HTTP 500 Answer:
HTTP/2 500 Internal Server Error
Content-Type: text/plain
Date: Fri, 26 May 2023 09:22:07 GMT
Server: Kestrel
Cache-Control: no-cache,no-store
Expires: -1
Pragma: no-cache
An invalid IP address was specified.
The Real-IP spoofed to provocate http 500 spoofed.g5u02424234st3242346du2.oastify.com
Hello Adam,
we can approve that the HSTS-Header is missing on HTTP Errors like 400/500. On normal requests HSTS Header is set correctly.
Best regards,