WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

SpyWare and HTTP headers

From: Steve McCullough <website () showmethesmut com>
Date: Mon, 06 Sep 2004 12:02:32 -0300
Hi all,
I've recently had a flurry of page errors associated with clients who are browsing with FunWebProducts malware installed. There's more about this irritant here: http://forums.spywareinfo.com/index.php?showtopic=15652
Oddly for spyware, FunWebProducts announces its presence in the USER_AGENT header [an actual example: "HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; FunWebProducts)"]. This is doubly odd because it lets you know about the threat and allows server-side response to a client-side privacy-breaking vulnerability. I've added a check for this header as part of my non-secure-side error handling and as part of my secure-side authentication.
HTTP headers are usually only mentioned in discussions of web application security by noting that they are trivial to forge (never trust the client, blah, blah). I was wondering, on the other hand, if anyone has experience with parsing them for info that might be useful as a vulnerability/attack signature at the application level. 

Steve

--
Steve McCullough
Web Developer
www.venusenvy.ca
www.showmethesmut.com
Previous By Date Next
Previous By Thread Next

Current thread: