Difference between revisions of "WAF 330094"
(Created page with ''''Rule ID''' 330094 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Fake User Agent String '''Description''' This rule is …') |
m |
||
| Line 13: | Line 13: | ||
'''Description''' | '''Description''' | ||
| − | This rule is triggered if a client sends a completely invalid and fake user agent string. It looks for the case where a client sends two User-Agent headers. In HTTP a client will only send a single header, as there can only be one header. Here | + | This rule is triggered if a client sends a completely invalid and fake user agent string. It looks for the case where a client sends two User-Agent headers. In HTTP a client will only send a single header, as there can only be one header. Here are a few examples of an invalid user-agent string. |
| + | |||
| + | Example 1: | ||
'''User-Agent:''' Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.6; '''User-agent:''' Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3) | '''User-Agent:''' Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.6; '''User-agent:''' Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3) | ||
| − | We've highlighted the header "User-Agent:". You will notice that it appears twice. This is always invalid and should never occur with a legitimate browser or web application. Closer observation of the | + | Example 2: |
| + | |||
| + | '''User-Agent: User-Agent:''' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 | ||
| + | |||
| + | We've highlighted the header "User-Agent:". You will notice that it appears twice in these examples. This is always invalid and should never occur with a legitimate browser or web application. Closer observation of the strings above will reveal that they also contradicts themselves by claiming the client is both running Internet Explorer 6 and Internet Explorer 7, or both running Chrome and Safari. This is, of course, impossible. A client can not send a web request from IE7 and IE6, or Chrome and Safari in the same request. | ||
This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers. This is also know to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client. | This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers. This is also know to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client. | ||
Revision as of 18:13, 6 May 2013
Rule ID
330094
Status
Active rule currently published.
Alert Message
Atomicorp.com WAF Rules: Fake User Agent String
Description
This rule is triggered if a client sends a completely invalid and fake user agent string. It looks for the case where a client sends two User-Agent headers. In HTTP a client will only send a single header, as there can only be one header. Here are a few examples of an invalid user-agent string.
Example 1:
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.6; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)
Example 2:
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
We've highlighted the header "User-Agent:". You will notice that it appears twice in these examples. This is always invalid and should never occur with a legitimate browser or web application. Closer observation of the strings above will reveal that they also contradicts themselves by claiming the client is both running Internet Explorer 6 and Internet Explorer 7, or both running Chrome and Safari. This is, of course, impossible. A client can not send a web request from IE7 and IE6, or Chrome and Safari in the same request.
This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers. This is also know to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.
False Positives
Some spyware may break the users User-Agent string. Therefore a false positive can occur. If you want to allow all cases, including where a
If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
Tuning Recommendations
If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.
If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
