Talking Headers: Part 1

Some people collect coins, DVDs or comic books. Others collect cars or Star Wars toys. Among other things, I like to collect HTTP headers. They take up a lot less space than cars, and can have a much higher return value than Mark McGwire's rookie card--as long as you something interesting.


From time to time I like to look through my collection for rare gems... like these, which caught my eye this week:



  • x-real-server

  • real-hostname


These are the two most popular of a few slight variations. The header name itself is generally useless (more on that some other day)--it is, of course, the value that matters. Unfortunately, the vast majority of these are boring as heck--the server's name with (or without) the www. In a few cases, however, they reveal something interesting--something other than the server's name.


At least one of them in my collection is likely the host's internal or "real" hostname (a cartoon character). Another is a completely different host/domain combination (perhaps the hosting company's machine name which the virtual host is running on?). And yet another reveals that it's actually "cgi01"--maybe a good indication there's a "cgi02" and that they'd be good places to look for... lots of CGI programs.


Earth shattering? No. Interesting, and with the potential to reveal a bit about your servers? Yes.


As always when building your web infrastructure, stop every bit of useless information that heads outbound--no matter how innocuous it may seem. You never know what an attacker may be able to leverage for attacks or social engineering, and you never know what future holds for new attacks or exploits.


And just for a bit of a product plug, WebInspect will now check for these variations.


For some fun headers, see Andrew Wooster's post from nearly 4 years ago.

Labels: Headers| HTTP| Research
Comments
(anon) | ‎06-02-2009 04:54 AM

"WebInspect will now check for these variations"

How exactly does it check for them? When did this seemingly new feature manifest within the product, as of version 8.0 or before?

Chris Sullo | ‎06-02-2009 02:14 PM

@wi user: it was pushed a few days ago via Smart Update. The ID is 10861 if you'd like to confirm you have it (via Policy Manager).

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation