During a weekend install of new firewalls in my main production datacenter we also had an IBM Proventia Intrusion Prevention System installed. The device is set for learning mode for a while before it will start blocking nefarious traffic. I was alerted today by the datacenter which also manages the IPS that we had a large number of events for HTTP_UserAgent_Too_Long. After requesting more detail on the events I was sent a document with several hundred pages of information. This info included source IP, http request, User Agent, and more.
The event triggered for User Agents that were longer than 200 characters, which is also Microsoft’s recommendation for maximum user agent lengths. The vulnerability is in some http servers that will cause a buffer overflow and thus denial of service when the user agent is too long. I found a tool described here and downloadable here to generate large http requests. I ran this against a test web server with IIS and found that it never crashed the server even though I generated user agent string of several million characters. Java seemed to crash on the client before I ever affected the web server. (I did find that I received a URI too long when I put about 19,500 characters in the get statement.) So I determined that my servers were not affected by this vulnerability.
I noticed in the events that were sent to me that the user agents all looked legitimate. Most were between 200 and 250 characters, so they weren’t far over the limit. They were all Internet Explorer strings with many .Net versions displayed. So I spent some time googling user agent strings and found several good articles and sites that I have linked to below.
The User Agent is a string that is sent during an http request that provides the web server with information on the browser being used and the platform it is running on. Microsoft provides a good summary here. You can see what the user agent of your browser is by going to: http://whatsmyuseragent.com/ . When I went to this site using firefox (my default browser) I received this: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4. Checking my user agent from IE revealed: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648) I found a good article that discusses .net and the user agent string. One point that I noticed was that .net truncates the string to 256 characters.
I also found this site that describes how to change the user agent string in various browsers. This site is a searchable database of user agents. And this is an interesting article on a string sniffer that collects strings into a database. Another interesting site lists IP addresses and their known user agents and whether they are a bot or browser.
0 Responses to “Exploring User Agent Strings”
Leave a Reply