Browse Prior Art Database

Scanning websites deployed on dual stack IPv4/IPv6 servers

IP.com Disclosure Number: IPCOM000188163D
Original Publication Date: 2009-Sep-24
Included in the Prior Art Database: 2009-Sep-24
Document File: 3 page(s) / 48K

Publishing Venue

IBM

Abstract

A website is susceptible to different security vulnerabilities when deployed under on IPv4, IPv6 and dual stack IPv4/IPv6 server. Disclosed is a method to automatically test for those environmental IPv4 -IPv6 differences when scanning the information posted on a website.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 36% of the total text.

Page 1 of 3

Scanning websites deployed on dual stack IPv 4/IPv6 servers

Abstract

A website is susceptible to different security vulnerabilities when deployed under on IPv4, IPv6 and dual stack IPv4/IPv6 server. Disclosed is a method to automatically test for those environmental IPv4 -IPv6 differences when scanning the information posted on a website.

1. Background

    The massive growth of Internet's users has continuously pushed the underlying network infrastructure and software to accommodate more and more users on the Internet. The Internet Protocol (IP) is a data oriented protocol which operates at the Network layer of the Open System Interconnection (OSI) architecture. One of IP's mandates is to define the number of addresses on the Internet. To keep up with the exponential Internet expansion, the IP protocol had to be adjusted accordingly. IP version 6 is the latest IP version which overcomes some of the challenges that its predecessor faced, such as addressing space, security, support for Quality of Service (QoS), and extensibility, to name a few.

    As Internet evolves, IPv6 adoption becomes a must that all organizations will have to follow. To ease the transition, most of the Operating Systems (OS) support a dual IPv4/IPv6 stack. This allows those hosts to communicate with IPv6 and IPv4 machines, making the IPv6 transition transparent to the users.

    The implementation of the IP protocols is done at the OS level, and it can potentially introduce differences between the behaviors of one OS over the other. Furthermore, since both IPv4 and IPv6

p

          rotocols contain in their payloads protocols from the upper layer of the OSI architecture, the potential for inconsistency increases. The most common usage scenario of Internet is browsing data. This is commonly done through (,but not limited to,) the Hyper Test Transfer Protocol (HTTP) implemented at the OSI Application layer.

1.1 Observations:

    Theoretically, HTTP over IPv4 would behave similarly to HTTP over IPv6. However, this is not true in practice. We discovered several cases where browsing the same information would retrieve different data when explored from an IPv4 machine and IPv6 machine.

One of the most interesting observations is that,

j

                                  ust by enabling dual stack IPv4-IPv6 on Windows server using the Internet Information Service (IIS), the website automatically become vulnerable to a set of new security errors. One simple example of such error is as follows: For IPv4, the IISSamples virtual directory has it's access restricted to only 127.0.0.1 (localhost). When an IPv4 client tries to access this machine remotely, the client receives a HTTP/1.x 403 Forbidden from the server, however enabling IPv6 on the same server, an IPv6 client will receive a HTTP/1.x 200 OK response from the server witch will expose the data.

    The problem becomes even more complex when we extrapolate...