How does WSS protect against Domain Fronting risks for TLS intercepted request?
Article ID: 245360
Updated On:
Products
Issue/Introduction
Domain fronting request are a potential attack vector that use an allowed domain name (on the http CONNECT request) to make malicious request (to content hosted on a CDN infrastructure shared with the allowed domain).
Domain fronting mitigations are available for on-premise proxies [1] and were ported to WSS [2] however this implementation was found to cause numerous error with legitimate traffic for well known domains (google, apple etc).
WSS automatically implements Domain Fronting mitigations that are better than the proposed CPL code.
[1] Domain Fronting Attack Detection Feature on ProxySG or ASG
[2] Implementing the Domain Fronting Detection Attack feature on Web Security Service – WSS
Resolution
In order to highlight how WSS operate with domain-fronting request, we will use 4 curl commands in conjunction with a computer running the WSS Agent (but the same would apply to an IPsec location or Explicit proxy):
curl --insecure -vv -x ep.threatpulse.com:80 https://www.lemonde.fr/ -H "Host: www.broadcom.com" -I
curl --insecure -vv -x ep.threatpulse.com:80 https://www.lemonde.fr/ -H "Host: www.lemonde.fr" -I
curl --insecure -vv -x ep.threatpulse.com:80 https://www.broadcom.com/ -H "Host: www.lemonde.fr" -I
curl --insecure -vv -x ep.threatpulse.com:80 https://www.broadcom.com/ -H "Host: www.broadcom.com" -I
Curl commands 1 and 3 are clearly wrong (i.e. potentially domain fronting attack) and they result in a transaction deny verdict from WSS when the CPL from KB's listed earlier is in place [1][2].
Curl commands 2 and 4 are valid request and they result in a transaction allow verdict from WSS when the CPL from KB's listed earlier is in place [1][2].
After adding a CPL snippet to ensure the http connect host information is available from the WSS logs [5] we could single out the 4 curl request (8 log entries) from the WSS logs [4] and extract some key data into a summary table [3].
What this data shows is that for the TLS request emitted by WSS uses the request Host and the http query destination to make the outbound connection, thus rendering malicious Domain fronting impossible as the real destination URL, hostname and ip addresses are used inthe policy evaluation.
[3] Transaction summary table
| # | Log entry (summary) | url.host | server.ip | cert.subject | connect.host |
| 1 | 2022-07-01 15:50:42 policy_denied DENIED 403 TCP_DENIED HEAD https | www.broadcom.com | 104.18.4.158 | www.broadcom.com | www.lemonde.fr |
| 2 | 2022-07-01 15:50:42 OBSERVED - 200 TCP_NC_MISS HEAD https | www.lemonde.fr | 151.101.18.217 | *.lemonde.fr | www.lemonde.fr |
| 3 | 2022-07-01 15:50:42 policy_denied DENIED 403 TCP_DENIED HEAD https | www.lemonde.fr | 151.101.18.217 | *.lemonde.fr | www.broadcom.com |
| 4 | 2022-07-01 15:50:42 OBSERVED - 200 TCP_NC_MISS HEAD https | www.broadcom.com | 104.18.4.158 | www.broadcom.com | www.broadcom.com |
[4] Raw WSS logs
#Version: 1.0
#Date: 2022-07-01T15
#Software: EAR 2.6
#Start-Date: 2022-07-01 15:50:42
#Fields: x-bluecoat-request-tenant-id date time x-bluecoat-appliance-name time-taken c-ip cs-userdn cs-auth-groups x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata) x-data-leak-detected x-virus-id x-bluecoat-location-id x-bluecoat-location-name x-bluecoat-access-type x-bluecoat-application-name x-bluecoat-application-operation r-ip r-supplier-country x-rs-certificate-validate-status x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-ssl-version x-rs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-size x-rs-certificate-hostname x-rs-certificate-hostname-categories x-cs-connection-negotiated-ssl-version x-cs-connection-negotiated-cipher x-cs-connection-negotiated-cipher-size x-cs-certificate-subject cs-icap-status cs-icap-error-details rs-icap-status rs-icap-error-details s-supplier-ip s-supplier-country s-supplier-failures x-cs-client-ip-country cs-threat-risk x-rs-certificate-hostname-threat-risk x-client-agent-type x-client-os x-client-agent-sw x-client-device-id x-client-device-name x-client-device-type x-client-security-posture-details x-client-security-posture-risk-score x-bluecoat-reference-id x-sc-connection-issuer-keyring x-sc-connection-issuer-keyring-alias x-cloud-rs x-bluecoat-placeholder cs(X-Requested-With) x-random-ipv6 x-bluecoat-transaction-uuid
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 18 51.178.41.107 - - - OBSERVED "News" - 200 TCP_ACCELERATED CONNECT - tcp www.lemonde.fr 443 / - - curl/7.64.0 192.168.2.84 39 120 - - - - 471437 "22054-OVH-explicit" explicit_proxy - - 151.101.18.217 "United Kingdom" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - "United Kingdom" - "France" 2 - - - - - - - - - - - - www.lemonde.fr - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e479-0000000062bf17d2
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 61 51.178.41.107 - - policy_denied DENIED "Technology/Internet" - 403 TCP_DENIED HEAD text/html;%20charset=utf-8 https www.broadcom.com 443 / - - curl/7.64.0 192.168.2.84 177 81 - - - - 471437 "22054-OVH-explicit" explicit_proxy - - 104.18.4.158 "None" CERT_VALID none - - TLSv1.3 TLS_AES_256_GCM_SHA384 256 www.broadcom.com Technology/Internet TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 192.168.2.84 None - "France" 1 1 - - - - - - - - - SSL_Intercept_1 - www.lemonde.fr - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e47b-0000000062bf17d2
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 16 51.178.41.107 - - - OBSERVED "News" - 200 TCP_ACCELERATED CONNECT - tcp www.lemonde.fr 443 / - - curl/7.64.0 192.168.2.84 39 120 - - - - 471437 "22054-OVH-explicit" explicit_proxy - - 151.101.18.217 "United Kingdom" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - "United Kingdom" - "France" 2 - - - - - - - - - - - - www.lemonde.fr - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e47c-0000000062bf17d2
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 16 51.178.41.107 - - - OBSERVED "News" - 200 TCP_NC_MISS HEAD text/html https www.lemonde.fr 443 / - - curl/7.64.0 192.168.2.84 1026 79 - - no - 471437 "22054-OVH-explicit" explicit_proxy - - 151.101.18.217 "United Kingdom" CERT_VALID none - - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 *.lemonde.fr News TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 151.101.18.217 "United Kingdom" - "France" 2 2 - - - - - - - - - SSL_Intercept_1 - www.lemonde.fr - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e47e-0000000062bf17d2
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 17 51.178.41.107 - - - OBSERVED "Technology/Internet" - 200 TCP_ACCELERATED CONNECT - tcp www.broadcom.com 443 / - - curl/7.64.0 192.168.2.84 39 124 - - - - 471437 "22054-OVH-explicit" explicit_proxy - - 104.18.4.158 "None" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - None - "France" 1 - - - - - - - - - - - - www.broadcom.com - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e47f-0000000062bf17d2
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 14 51.178.41.107 - - policy_denied DENIED "News" - 403 TCP_DENIED HEAD text/html;charset=UTF-8 https www.lemonde.fr 443 / - - curl/7.64.0 192.168.2.84 177 79 - - - - 471437 "22054-OVH-explicit" explicit_proxy - - 151.101.18.217 "United Kingdom" CERT_VALID none - - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 *.lemonde.fr News TLSv1.3 TLS_AES_256_GCM_SHA384 256 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 192.168.2.84 "United Kingdom" %22151.101.18.217|United%20Kingdom|timeout%22 "France" 2 2 - - - - - - - - - SSL_Intercept_1 - www.broadcom.com - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e481-0000000062bf17d2
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 16 51.178.41.107 - - - OBSERVED "Technology/Internet" - 200 TCP_ACCELERATED CONNECT - tcp www.broadcom.com 443 / - - curl/7.64.0 192.168.2.84 39 124 - - - - 471437 "22054-OVH-explicit" explicit_proxy - - 104.18.4.158 "None" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - None - "France" 1 - - - - - - - - - - - - www.broadcom.com - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e482-0000000062bf17d2
22054 2022-07-01 15:50:42 "DP2-GGBLO99_proxysg1" 41 51.178.41.107 - - - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS HEAD text/html https www.broadcom.com 443 / - - curl/7.64.0 192.168.2.84 1043 81 - - - - 471437 "22054-OVH-explicit" explicit_proxy - - 104.18.4.158 "None" CERT_VALID none - - TLSv1.3 TLS_AES_256_GCM_SHA384 256 www.broadcom.com Technology/Internet TLSv1.3 TLS_AES_256_GCM_SHA384 256 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 104.18.4.158 None - "France" 1 1 - - - - - - - - - SSL_Intercept_1 - www.broadcom.com - - 2001:0DB8:2449:413a:7eb2:5f9f:162f:7382 07828d8ef8aef5f7-000000000008e484-0000000062bf17d2
[5] CPL code to re-write the http connect host field to an existing fields on the WSS logs
<Proxy>
log.rewrite."x-cloud-rs"("$(http.connect.host)")
Feedback
