In the UA you provided, the base64 it is not part of the product information, but a comment. Nothing is documented in any of Gecko browsers vendor information. Is the use of base64 strings inside a User-Agent covered by any RFCs or major vendor practices? Similarly this unique fingerprinting could also be used to serve an attack page or redirect elsewhere. However I also abused this behaviour to add another security layer to my own site in the past, where only a few clients with a specific base64 UA token would even be displayed the login page. It is reasonable to conclude that this is rare, but possibly the result of a malware infection. Is having a base64-encoded string inside a User-Agent normal or unusual?ĭigging though the list of User agents at WhichBrowser. Better yet, create a "blocked web page" with details of how to be unblocked. Even then it should only be blocked for a limited time. I wouldn't recommend blocking any IP addresses based off the provided example unless all traffic from this IP is malicious. How do the request/responses compare to using your original User-Agent string? If you're really worried/paranoid, change the User-Agent string of your own system to this one and browse the same pages while using a proxy such as Fiddler, Burp, etc. Again, clearly not applicable to your situation. Script/Code Injection - providing inline scripting, references to remote files, etc.This clearly isn't happening in the provided example. Buffer Overflow - either trying to overflow the buffer on the server or within the website/application.There are two areas in which I see User-Agent strings becoming a concern: That being said, it's a value defined by the client which cannot be trusted as it's trivial to modify. Regarding your concern about the RFC, they're written as a recommendation for how the field should be used though there is little consistency between platforms. So it was likely inserted by a proxy device for tracking purposes. It doesn't decode into a human readable string. If all other traffic from this IP address is legitimate, then I wouldn't worry about the WAF rule being triggered. The user has worked around our problem by using a browser plugin to modify their User-Agent, so this is now an academic problem - but I think it's an interesting academic problem :) I'm going to add a bounty to this question, and the answer space I'm looking for is "what sort of software is putting base64 strings into User-Agents, and why? And is there any stamp of legitimacy for this practice?" Inspired by example, I googled the string and from there ended up using UA Tracker to search for base64 strings (or, the subset of them which were padded - I searched for "=)"). It's also likely the IP is the outbound side of a business class web proxy, which would explain why I see some Opera working for someone while someone else reports problems from the same IP. (As usual, contact with the end user is mediated through several parties so I can't fully trust anything I hear). It's a little odd that the user reports having tried IE but all the User-Agent strings I see appear to be Linux. I do, however, show successful connections from the same client IP with an Opera user-agent: User-Agent: Opera/9.80 (X11 Linux i686) Presto/2.12.388 Version/12.16 The site is designed for use by humans with browsers - it's not an API or anything like that - and it has been reported to me that the user has tried accessing the site with "FF/IE/Chrome" and failed. I'm trying to understand what's happening here I don't feel the WAF signature is completely out of line to object, so I'd rather not just disable it, but I haven't seen this sort of User-Agent string before so I'd rather understand better how common and/or legitimate a use case this is. Is the use of base64 strings inside a User-Agent covered by any RFCs or major vendor practices?.Is having a base64-encoded string inside a User-Agent normal or unusual?.In this case, the base64-encoded string is triggering a false positive in the WAF which thinks the User-Agent is lib I'm having an issue with a client accessing our site, and the root cause is that the WAF (Web Application Firewall) doesn't like their User-Agent string: User-Agent: Mozilla/5.0 (X11 Linux i686 rv:34.0 C7QcSBPWTsrpX5YLvVZMqiujEZLWPtOYk3tDZ9WhW18=) Gecko/20100101 Firefox/34.0
0 Comments
Leave a Reply. |