Big IP identifies header reordering as man in the middle attack and throws an error

book

Article ID: 160009

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

A customer uses BlueCoat to go to a website that uses Big IP framework to identify man-in-the-middle attacks.
The Big IP framework identifies header reordering as such an attack and throws an error, resulting in the inability to access the secured website

 

Resolution

Bluecoat passes the content-length header in the beginning, Symantec DLP re-orders the Content-length header because of a potential HTTP redaction. In a case where HTTP redaction is used we would change the HTTP body. As a result the initial Content-length will be extracted in anticipation of a value changing.  After extracting, we hold onto the value and append it to the end of the headers later on (after any possible modification due to redaction). 

 

The header reordering only occurs with Proxies that have the content-length header in the beginning of the object.

 

Please note:

RFC 2616 ( http://www.ietf.org/rfc/rfc2616.txt  ) states that  "The order in which header fields with differing field names are received is not significant." 

This suggests technically such sites that rely on above outlined means would not be RFC compliant.

 

Workaround:

1)      Bypass ICAP for such site would resolve in the ability to access such a protected web site.

2)      Use a proxy that has the content-length header at the end of the object, such as TMG.