Building network automation solutions

9 module online course

Start now!

Category: HTTP

Netflix summary

Many thanks to those of you that responded with Netflix details (special thanks to Volcker for sending me the packet capture). Immediately after someone mentioned firewalls, I knew what the most sensible answer should be: to get across almost anything, use HTTP. No surprise, Netflix chose to use it. However, they’ve managed to deploy streaming video over TCP, which is not a trivial task. So, how did they do it?

read more see 2 comments

IOS HTTP vulnerability

The Cisco Subnet RSS feed I’m receiving from Network World contained interesting information a few days ago: Cisco has reissued the HTTP security advisory from 2005. The 2005 bug was “trivial”: they forgot to quote the “<” character in the output HTML stream as “&lt;” and you could thus insert HTML code into the router’s output by sending pings to the router and inspecting the buffers with show buffers assigned dump (I found the original proof-of-concept exploit on the Wayback Machine). However, I’ve checked the behavior on 12.4(15)T1 and all dangerous characters (“<” and quotes) were properly quoted. So, I’m left with two explanations.

read more see 1 comments

Local Content Filtering in Cisco IOS

Cisco IOS release 12.4(20)T introduced (web) content filtering. The feature is aimed primarily at the ISR routers which can connect to an external service hosted by Trend Micro, turning the mundane administrative task of blacklisting web sites into a subscription service.

You can use the same features without the Trend Micro service whenever you need a quick fix (for example, blocking a few web sites). The Local content filtering is also available on other platforms, not just on ISRs. Not surprisingly, the online IOS documentation on the local part of this feature is a bit sketchy, but you’ll find all the details you need to configure this feature in the Local Content Filtering article.

Read the full article in the CT3 wiki

.
see 2 comments

HTTP PUT is broken in IOS release 12.4(15)T

Isaac was trying to implement the HTTP PUT solution I’ve described in the IP Corner article Using a Web Server to Manage Your Router Configurations. He couldn’t get IIS or Apache to work and finally discovered that he was facing an IOS problem. When he’s upgraded the routers to IOS release 12.4(20)T or 12.4(22)T, the copy running-config http://host/path command worked as expected.

Isaac, thanks for the feedback!

add comment

Interesting links | 2008-11-08

As always, Jeremy Stretch posted several interesting articles: how to hijack HSRP, introduction to split horizon in distance vector routing protocols and (long needed) default redistribution metrics.

Petr Lapukhov started playing with HTTP URL regular expressions within NBAR and documented his findings. The most interesting is the last Q/A pair: can I use NBAR as a content filtering engine?

And last but definitely not least, if you’re worried what will happen to WPA2 now that WPA has been cracked, Robert Graham explains the fundamental differences between WPA and WPA2. Also, make sure you read the detailed explanation of the WPA flaw to understand its implications.

see 2 comments

Cisco IOS violates RFC 2616 (HTTP/1.1)

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

I simply had to check with the RFC; by setting the Host: field of HTTP request to an IP address (instead of a host name), Cisco IOS violates section 14.23 of RFC 2616, which says:

The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource ... The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL.
add comment

IOS HTTP client sets Host: field to IP address

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

If you run multiple web sites on a single physical server, it's highly likely that you rely on the ability of HTTP/1.1 clients to specify the Host: field in the HTTP request to indicate which web site they're trying to access.

Cisco IOS always inserts the web server's IP address (not the hostname) in the Host: field of the HTTP request, regardless of whether you enter IP address or hostname in the URL part of an IOS command that supports HTTP (for example, copy or more command) ... and regardless of whether the hostname is locally configured with the ip host command or resolved by an external DNS server specified in the ip name-server command.

End result: Cisco IOS-based routers (tested up to release 12.4(11)T) can access only the default web site on a web server hosting multiple web sites.

add comment

Home page for Cisco IOS web server

Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:
  1. The home.html file if it exists in any filesystem;
  2. The home.shtml file if it exists in any filesystem;
  3. a default page with links to exec, SDM, QDM and TAC support

Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.

see 2 comments

Cisco IOS Web Server

These tips will help you get the most out of the Cisco IOS embedded web server:

These ones explain how to use IOS HTTP server and client to manage your router configuration and execute commands on the router:

add comment

Disable command execution with Cisco IOS web server

If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):
  1. List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
  2. Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.
  3. ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept
  4. Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
  5. Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.
add comment

Include a default username/password in web request

I've got a great question related to a previous post:
Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?
You can specify username and password as part of standard URL syntax http://username:[email protected]/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
http://guest:[email protected]/level/1/exec/show/ip/interface/brief
Note: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.
add comment

Multilevel web (HTTP) access to a router

In some scenarios you want to use true username/password authentication when accessing the router's web server (by default, you have to use enable password). To change the HTTP authentication method, use the ip http authentication local configuration command; it tells the router to use local usernames and passwords when authentication web requests.

Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:
username guest privilege 1 password 0 guest
username admin privilege 15 password 0 admin
Note: unless you configure service password-encryption, the passwords in your configuration will remain in cleartext.

The last bit of the puzzle is the correct formation of the URLs: when executing a command on the router through a URL, you have to specify the required privilege level (the router will then prompt you for a username/password with at least that privilege level). The URL syntax is http://router/level/privilege-level/exec/command. For example, to execute non-privileged (level-1) show users command, use the following URL:
http://router/level/1/exec/show/users/CR
Note: the /CR suffix at the end of the URL tells the router to execute a command that contains optional (non-present) parameters.
add comment

Reload a router from VBScript or PERL with a HTTP (web) request

If you have HTTP enabled on your router, you can use it to automate router reloads through web requests. To enable HTTP on the router, use the following commands:
ip http server
ip http access-class 90
access-list 90 permit network-management-ip-address
The ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.

The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):
Const RouterIP = "10.0.0.1" ' replace with router's IP address
Const EnablePassword = "password" ' replace with enable password

Set WebRq = CreateObject("MSXML2.XMLHTTP")
WebRq.Open "GET","http://" & RouterIP & "/level/15/exec/reload/CR",false,"Username",EnablePassword
WebRq.Send
And here is the equivalent PERL code for the open source community:
use LWP::UserAgent;

$routerIP = "10.0.0.1";
$enablePwd = "password";

$ua = LWP::UserAgent->new;
$req = HTTP::Request->new(GET => "http://$routerIP/level/15/exec/reload/CR");
$req->authorization_basic('', $enablePwd);
print $ua->request($req)->as_string;
By default, the username specified in the web request is ignored by the router and the password has to be the enable password. Of course, if you change the authentication scheme on the router with the ip http authentication configuration command, you'd use proper username/password pair in the HTTP request.
add comment
Sidebar