Wednesday, December 12, 2007

Websense Policy Filtering Bypass


discovered by mrhinkydink

PRODUCT: Websense Enterprise 6.3.1

EXPOSURE: Web Filtering Bypass

SYNOPSIS
========

By spoofing the User-Agent header it is possible to bypass filtering and, to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment.

PROOF OF CONCEPT
================

The following was tested in an unpatched 6.3.1 system using the ISA Server integration product. It is assumed it will work with other integration products but this has not been tested. Other User Agents may also work.

I. Install FireFox 2.0.x

II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick

III. Add the following User Agents to the plug-in

Description: RealPlayer
User Agent : RealPlayer G2

Description: MSN Messenger
User Agent : MSMSGS

Description: WebEx
User Agent : StoneHttpAgent

IV. Change FireFox's User Agent to any one of the preceding values

V. Browse to a filtered Web site

VI. Content is allowed

Content browsed via this method will be recorded in the Websense database as being in the "Non-HTTP" category.

Demonstration:

Websens Policy Bypass (obsolete)


SEE ALSO
========
Websense KnowledgeBase article #976

The vendor acknowledges this behavior in the aforementioned article.

WORKAROUND
==========
Disable the protocols mentioned above.

VENDOR RESPONSE
===============
Websense cleaned up this issue in database #92938

NOTICE
======
mrhinkydink is not to be confused with the blogger by the same name at www.dailykos.com

c. MMVII mrhinkydink

7 comments:

  1. Anonymous1:16 AM

    thanks for the video... funny too with the ut sounds. Speaking of which what has happened to -=BotHouse=- as of 12/14/07? I dont see it i n the dm server list.

    ReplyDelete
  2. As the ancients used to say, pride comes before a fall. :( The morning after I disclosed the Websense bypass, I checked my email & went into the kitchen to pack my lunch. I came back and the drive light on BOT House was flashing like crazy and there were disk-eating sounds coming from the box itself. The drive, a Fujistu 80G, had self-destructed.

    That evening I put the ISA server online and was at least able to get EXP II running.

    So... now I have a new HD and a lot of work to do.

    Glad you liked the movie. I had a lot of fun making it.

    ReplyDelete
  3. Anonymous12:35 AM

    cool... so what is the time estimate on Bot House? I am addicted :)

    ReplyDelete
  4. Anonymous12:36 AM

    HorkinFiberChunx by the way

    ReplyDelete
  5. ZSnDYcate11:48 PM

    ZSnDYcate here...

    Hink,

    Appreciate all the selfless time, effort and cash you put into maintaining BOT House and EXII. You may have other servers, but these two I visit almost daily as part of my post work unwind ritual. You've created a home for some of the best spirited and talented lo-grav players in UT99. Any chance those players that you repeatedly come across during reviews of your chat logger in either mentioned server getting a bot named after them? Over to you to please consider, or not:D I think it would be cool and I'm hoping you will too...a kind of homage to your loyal server fraggers... Looking fwd to the rtn of BOT House. Take Care Hink.

    Very Respectfully,
    Z

    ReplyDelete
  6. Thanks for the kind words. BH is getting its shit back together slowly but I don't think it'll be back up until Christmas. Look out for a new IP on EXII before it goes back online. When that happens we're half way there.

    ReplyDelete
  7. Anonymous11:17 AM

    hey the guy who made this video is great and I will try it at office by tomorrow because u know we are a duty officers and thats sucks to block us from internet and if it's works we can give to the man who did it a Nobel prize for poring killer

    ReplyDelete