HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Talking Headers: Part 3: The Fun

In Part 1 of the series on interesting headers, I talked about leaking hostnames. In Part 2, it was PHP errors. In Part 3 I bring you... the funny stuff. Not funny, like how Mark Mcgwire's rookie card is now $5 on ebay compared to the hundreds it once was (and that I have 5 of them for some reason), but funny like watching a 1984 episode of Miami Vice and wondering how humanity survived the clothing and hair.

Note, a link to each site is on the header name:

I thought "x-hackers" typically got government jobs, or at least wrote books?

At least these guys at admit they cobbled it together... but gave themselves credit nonetheless:

Nick, Mic, or Andy (or all three?) must also get the warm fuzzies from Ashley, beacuse they've also got:

I'm not quite sure what to make of this next one, but I'm pretty sure it freaks me out just a little, like clowns. Actually, clowns freak me out a lot:

And finally... one that should need no explanation or almost-witty comment:

There are certainly tons more funny or odd headers out there, and I tried not to duplicate those in Andrew Wooster's post--what else have you seen?

Labels: Headers| HTTP| Research

Talking Headers: Part 2

While my rookie Mark McGwire cards aren't appreciating at all, my header collection is.  Check these actual headers out:

  • php warning: Unknown(): Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20020429/mysql.so' - Cannot open "/usr/local/lib/php/extensions/no-debug-non-zts-20020429/mysql.so" in Unknown on line 0

  • php: Error parsing /usr/www/users/bob/cgi-bin/php.ini on line 125

  • php warning: Function registration failed - duplicate name - pdf_new in Unknown on line 0, Function registration failed - duplicate name - pdf_delete in Unknown on line 0...

Yes, those are actual HTTP header names and values. That's some serious ugliness right there. Why PHP would be reporting errors through the headers I can only guess--but it is.

Finding any information on this via a search engine has proven impossible, as it's polluted with PHP syntax error messages and relevant discussions. So, if you have any ideas as to they why/how of this, I'd be interested to hear them.

And of course, my shameless product plug: WebInspect will alert on these.

Labels: Headers| HTTP| PHP| Research

Talking Headers: Part 1

Some people collect coins, DVDs or comic books. Others collect cars or Star Wars toys. Among other things, I like to collect HTTP headers. They take up a lot less space than cars, and can have a much higher return value than Mark McGwire's rookie card--as long as you something interesting.

From time to time I like to look through my collection for rare gems... like these, which caught my eye this week:

  • x-real-server

  • real-hostname

These are the two most popular of a few slight variations. The header name itself is generally useless (more on that some other day)--it is, of course, the value that matters. Unfortunately, the vast majority of these are boring as heck--the server's name with (or without) the www. In a few cases, however, they reveal something interesting--something other than the server's name.

At least one of them in my collection is likely the host's internal or "real" hostname (a cartoon character). Another is a completely different host/domain combination (perhaps the hosting company's machine name which the virtual host is running on?). And yet another reveals that it's actually "cgi01"--maybe a good indication there's a "cgi02" and that they'd be good places to look for... lots of CGI programs.

Earth shattering? No. Interesting, and with the potential to reveal a bit about your servers? Yes.

As always when building your web infrastructure, stop every bit of useless information that heads outbound--no matter how innocuous it may seem. You never know what an attacker may be able to leverage for attacks or social engineering, and you never know what future holds for new attacks or exploits.

And just for a bit of a product plug, WebInspect will now check for these variations.

For some fun headers, see Andrew Wooster's post from nearly 4 years ago.

Labels: Headers| HTTP| Research
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.