Outlook Web Access is the webmail embedded in the Exchange mail server. It is used by users outside the office to get access to their emails. Unfortunately, some versions of OWA are affected by a CSRF attack.
This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3). Exchange 2010 is not concerned by this attack.

CSRF Attack Explained

The attacker hosts on his own web server a page with a code pointing to the targeted OWA webmail domain. When the user browses this page, the code hijacks his session to change the target email parameters. The most complicated part for the attacker is to manage to make the target browse the web page: usually, he puts the link in a mail.

CSRF Prevention for OWA

Fortunately, it is easy to block this type of attack since it requires a third-party website. Well, easy, only if you use a load balancer or a reverse proxy with real layer 7 ability. The Aloha load balancer can be used to load balance exchange services as well as protect your OWA users against CSRF attacks.

As explained above, a page hosted on a third-party server would make the user’s browser send a request to his webmail. When doing this, the browser sets up the Referer HTTP header with the attacker’s website URL (including hostname).

Even if it is easy to fake this header in a normal situation, it is impossible for the attacker to change the behavior of the browser. This means we can easily monitor the Referer header and prevent any request from coming from an unknown domain.

In some cases, a Referer from another domain could be allowed, but only when pointing to a few URLs (OWA’s entry points).

It is important to notice that the Aloha load balancer must be used as the SSL offloader in order to be able to access all the HTTP headers.

The configuration below will explain all of this.

# valid Referer detection
  acl valid_owa_referer hdr_beg(Referer) http://webmail.company.com/ https://webmail.company.com/
# OWA entry points may have a Referer pointing to an other domain
  acl owa_welcome_url url / /owa /owa/
# don't check the Referer on welcome urls
  http-request allow if owa_welcome_url
# deny any OWA requests if the Referer does not point to Company's webmail hostname
  http-request deny if !valid_owa_referer
# allow valid requests (this one is implicite, but written for better understanding
  http-request allow

The code above won’t run any Referer check for the webmail URL entry points and will check it for all other URLs. If a request points to a page with a Referer outside the company’s domain name, the request is denied and your user safety is preserved.

Related Links

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.