Saturday, May 29, 2010

Websense 6.3.3 "Via:" Bypass

discovered by mrhinkydink

PRODUCT: Websense Enterprise v6.3.3

EXPOSURE: Trivial Web Policy Bypass


By adding a "Via:" header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment.


The following works in a Websense 6.3.3 Enterprise system using the ISA Server integration product and transparent authentication. It is assumed it will work with other proxy integration products, but this has not been tested.

I. Install Firefox >= 3.5

II. Obtain and install the Modify Headers plug-in by Gareth Hunt

III. Configure the plug-in to add a valid "Via:" header to every request

    Example: "Via: 1.1 VIAPROXY"

IV. Browse to a filtered Web site

V. All content is allowed without monitoring



The Modify Header plug-in does not work with SSL. However, in practice a user could browse to a so-called (by Websense) "Proxy Avoidance" Web site and use the SSL capabilities of the remote proxy.


Properly configured, a downstream SQUID proxy can send requests to the upstream ISA server and all requests will pass through without blocking or monitoring. No evidence of activity will be logged by Websense. This was in fact how this vulnerability was originally discovered. Considering the simplicity of the attack, the author suspects this bypass technique is already well-known in certain circles.

Also, it is trivial to modify proxy-enabled Linux utilities to leverage this bypass. The author has recompiled (that is, HACKED) OpenVPN, connect-proxy, PuTTY, stunnel, and others to take advantage of this policy bypass.

Obviously, the risk of undetected (by Websense, at least) covert tunnels is high in a vulnerable installation of this product.

Linux platforms using this method in this specific environment will also enjoy bypassing Websense's transparent authentication.


For this specific installation scenario (Websense 6.3.3 + ISA 2004/6 + transparent authentication), none are known. The following may work:

  * Use Windows Integrated Authentication on the ISA Server

  * Upgrade to Websense 7.x

  * Do not use a proxy integration product


10/09/2009 - vendor notified

05/29/2010 - PoC published

c. MMX mrhinkydink

Saturday, May 15, 2010


That's me!

For some unknown reason, The Boss decided I needed a laptop a year and a half after he decided I didn't need a laptop. So, now I have a new laptop.

I liked the old one just fine. It played UT great! I've had nothing but heartache with my own laptop and UT. At first I thought it was Vista, but all the problems remained after I upgraded it to Windows 7 (a.k.a. "Vis7a"). Then, one day I plugged a USB keyboard into it and tried playing. All the problems vanished. Turns out it's the keyboard hardware (or the driver). Still, it's not convenient to play that way.

This new laptop is nothing stellar, a run-of-the-mill HP 6530B with a dual core Centrino, two lousy gigs of RAM, 32-bit Vis7a, and an 80G hard drive (encrypted!).


I'm not impressed.

But... it runs UT like a champ! So now I can play from the comfort of my own couch. And it's small enough that I can have a cat on my lap at the same time!

It makes playing UT fun again!

So if you see New_Laptop_Boi say "Hi".