My good friend, Mike Wazowski, called and asked my help. He told me that he encountered something strange when he looked for a tour package at a travel agency website. His family had a plan to go to Europe. He and his wife searched some travel agency website. They browsed same site and got different prices for same tour. He asked me to investigate this issue.
First, I tried to do what he did and got same price as his wife got. Then, I asked him to show me how he did. Surprisingly, it was true that he got more expensive price for same one. I opened my BurpSuite and set it as a proxy to analyze HTTP traffics. Then, I did some hacking techniques against that travel agency website.
Finally, I found that it is because of HTTP Header User-Agent. That travel agency website filtered its customer based on value of User Agent. It charged more expensive to my friend because he use Apple laptop. I did an experiment to intercept his HTTP Request and change its User Agent.. and… I got normal price.
What is User-Agent? How do we manipulate it?
User-Agent is our representative in communication within a client-server system. Especially in HTTP, it identify the software we use to send our request. So, our browser populates this values automatically when we surf in the Internet.
Most Web browsers use a User-Agent with this format:
Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]
For example, Safari on the iPad has used the following:
Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
Usually, User-Agent is used for:
- To detect browser version so that application at server side can decide whether it support this particular browser and version.
- To detect client type (e.g. mobile, PC, wearable device, etc) so that application at server side can response a layout depends on its type.
- Advertise companies use it for statistic purpose.
In Mike’s case, the application at server side filters its customer based on his platform. Hahaha.. smart.
Let’s see from the other side… at Black Hat Hacker side 🙂
User-Agent is same as other input fields. It can be used to attack the application at server side. If User-Agent value is not validated and sanitized… a hacker can exploit the system.
What are those attacks can be done by a hacker?
a. Stored and Reflected Cross Site Scripting (XSS)
User-Agent is the only HTTP Request header as a prime candidate for XSS. The hacker modifies User-Agent values to become like this
User-agent: Mozilla/5.0 alert(‘XSS’);<!–
Of course, it is not as simple as that… the hacker will write a more evil script.
b. SQL Injection
A large number of web analytic tools store User-Agent value in database. Imagine that User-Agent is not validated and a hacker inject with sql query. For example
User-‐agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-‐us) AppleWebKit/532.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7C445c
Safari/531.21.102011-‐10-‐16 20:23:50’
Note the single quote at the end of value.
c. Denial of Service
It can be happen when a hacker fill User-Agent with characters whose length is more than 255 characters. For more detail, you can read CVE-2004-0169.
Now we can see that we can manipulate User-Agent easily. It can be from both client or server sides. You must stay vigilant. You can refer to this site, http://www.useragentstring.com/, if you want to analyze unusual User-Agent value.