Skip to content
This repository has been archived by the owner on Nov 4, 2024. It is now read-only.

HTTP to HTTPS redirection not validated on subdomain #451

Open
deastr opened this issue Sep 16, 2021 · 2 comments
Open

HTTP to HTTPS redirection not validated on subdomain #451

deastr opened this issue Sep 16, 2021 · 2 comments

Comments

@deastr
Copy link

deastr commented Sep 16, 2021

We have an internal website at https://sub.company.com being tested with Observatory. Web server set to redirect HTTP requests to HTTPS but for some reason Observatory says that it isn't so. When I visit http://sub.company.com with browser it gets redirected to https://sub.company.com. I tried curl and also got 301 result. Am I misunderstanding this rule or doing something wrong or does it not apply to subdomains?

Here's the curl output:

curl -v http://sub.company.com/
*   Trying xxx...
* Connected to sub.company.com (xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: sub.company.com
> User-Agent: curl/7.79.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Location: https://sub.company.com/
< Server:
< Date: Thu, 16 Sep 2021 13:40:08 GMT
< Content-Length: 161
<
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://sub.company.com/">here</a></body>* Connection #0 to host sub.company.com left intact

Both HTTP and HTTPS versions of sub.company.com and company.com doesn't have IPV6 enabled, I checked with https://ipv6-test.com/
@floatingatoll
Copy link
Contributor

floatingatoll commented Sep 16, 2021 via email

@deastr
Copy link
Author

deastr commented Sep 17, 2021

This can sometimes occur if there’s a series of redirects, especially in circumstances involving SSO or other intercept-redirect auth systems. When you curl -v https, does it return another Location header?

No, it's 200:

curl -v https://sub.company.com
*   Trying xxx:443...
* Connected to sub.company.com (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: C:\Users\deastr\Downloads\curl-7.79.0_1-win64-mingw\curl-7.79.0-win64-mingw\bin\curl-ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=XX; postalCode=123456; ST=City; L=City; street=Address; O=<company>; OU=Technology; CN=*.company.com
*  start date: Nov  5 00:00:00 2020 GMT
*  expire date: Dec  6 23:59:59 2021 GMT
*  subjectAltName: host "sub.company.com" matched cert's "*.company.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: sub.company.com
> User-Agent: curl/7.79.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Pragma: no-cache
< Transfer-Encoding: chunked
< Content-Type: text/html
< Last-Modified: Thu, 16 Sep 2021 11:07:07 GMT
< Accept-Ranges: bytes
< ETag: "1d7aaeafcbc7970"
< Set-Cookie: .AspNetCore.Antiforgery.OsGppWPEUZ4=CfDJ8E-9KhECE8JKu0tn3QQhVMYNx0ghHuOFN85At0Q8IizL4PHyEd9fq8sW168tkhhat78cmeLGcqf3aJXkSrj3Zk5-dp0wzop-GfIgrzaPTMfmG1uqyqWGHDd4ID5gpeExvyYsUzbW0hyL6JO8TyBx0e4; path=/; httponly
< Set-Cookie: XSRF-TOKEN=CfDJ8E-9KhECE8JKu0tn3QQhVMbgqOnK3m9bvZU17pfVSxvKH5qct0U3YwoMGUQicp7JsY7b0u9UqDEQ8UsbsW2d_pFxCihl0vxNSQVABd5Wy3n6K9VbgafRqNt7FkSgGjsqr7YJvVEHEBrVT9jIHJsifts; path=/
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Referrer-Policy: no-referrer-when-downgrade
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SameOrigin
< Content-Security-Policy: default-src 'none';script-src 'self';object-src 'none';style-src 'self' 'nonce-b892a052-d0fc-419e-af29-91cb942f7b1a' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';base-uri 'self';form-action 'self';frame-ancestors 'self'
< Permissions-Policy: accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()
< SERVER:
< Date: Fri, 17 Sep 2021 06:40:39 GMT
<
<!DOCTYPE html>
<html>
...

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@floatingatoll @deastr