HSTS Header on HTTP 400/500 missing?
Hello,
we are still doing some security testing on the Powershell Universal.
My colleague experienced some strange behavior. The HSTS header is set correctly but if we provoke HTTP 400 or 500 with spoofing faked values in the http requests we get HTTP answers without HSTS-Header. Is this the desired configuration or is just something missing within the kestrel webservice?
Thanks a lot!
Product: PowerShell Universal Version: 3.7.11
All Comments (3)
Can you double check that it’s not running against localhost? It seems like kestrel does not send the HSTS headers when communicating over localhost.
stackoverflow.com
Adam Driscoll
PowerShell Expert and Developer at Devolutions
We will double check next week.
Right now here some details about the faked/spoofed requests:
HTTP 400
GET /dashboardhub?dashboardid=1&id=123456 HTTP/1.1 Host: xyz.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Sec-Websocket-Version: 13 Origin: https://xyz.com Sec-Websocket-Key: 55555555555 Connection: keep-alive, Upgrade Cookie: .AspNetCore.Antiforgery.123456; .AspNetCore.Session=123456; .AspNetCore.Cookies=123456 Sec-Fetch-Dest: websocket Sec-Fetch-Mode: websocket Sec-Fetch-Site: same-origin Pragma: no-cache Cache-Control: no-cache Upgrade: websocket
HTTP 400 Answer:
HTTP/1.1 400 Bad Request Content-Length: 0 Connection: close Date: Wed, 24 May 2023 10:16:20 GMT Server: Kestrel
HTTP 500
GET /xyz/home HTTP/2 Host: xyz.com Cookie: .AspNetCore.Antiforgery.123456; RequestVerificationToken=123456; .AspNetCore.Session=123456 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@65465412kjhkahsd.oastify.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Te: trailers Cache-Control: no-transform X-Forwarded-For: spoofed.o5u02424234st324234dq1f.oastify.com Forwarded: for=spoofed.j5u02424234st3242347xw.oastify.com;by=spoofed.j1lv5u02424234st324234h97xw.oastify.com;host=spoofed.j15u02424234st32423497xw.oastify.com Client-Ip: spoofed.g95u02424234st3242346gu5.oastify.com Cf-Connecting_ip: spoofed.alzm5u02424234st32423410toi.oastify.com X-Real-Ip: spoofed.g5u02424234st3242346du2.oastify.com X-Client-Ip: spoofed.7rz5u02424234st324234x2lr.oastify.com Referer: http://u5u02424234st324234ptkp8e.oastify.com/ref Contact: root@65465412kjhkahsd.oastify.com X-Originating-Ip: spoofed.nh8zdnq4szpct2h9jvjr513rrixdv1k.oastify.com From: root@g2424234st324234put.oastify.com True-Client-Ip: spoofed.2424234st324234ptmi.oastify.com X-Wap-Profile: http://98f2424234st324234p4e.oastify.com/wap.xml
HTTP 500 Answer:
HTTP/2 500 Internal Server Error Content-Type: text/plain Date: Fri, 26 May 2023 09:22:07 GMT Server: Kestrel Cache-Control: no-cache,no-store Expires: -1 Pragma: no-cache An invalid IP address was specified.
The Real-IP spoofed to provocate http 500 spoofed.g5u02424234st3242346du2.oastify.com
Hello Adam,
we can approve that the HSTS-Header is missing on HTTP Errors like 400/500. On normal requests HSTS Header is set correctly.
Best regards,