Activity Processors: Header Processor: Incident - Duplicate Request Header

Complexity: Informational (0.0)

Default Response: None

Cause: WebApp Secure monitors all of the request headers sent from the client to the web application. According to the HTTP RFC, no client should ever provide more the one copy of a specific header. For example, clients should not send multiple Host headers. However there are a few exceptions, such as the Cookie header, which can be configured to allow multiples. If the user sends multiple headers that are not configured explicitly to allow duplicates, then this incident will be triggered.

Behavior: Sending duplicate headers of the same type can be caused by several different things. It is either an attempt to profile the webserver and see how it reacts, an attempt to smuggle malicious data into the headers (because a firewall might not look at subsequent copies of the same header), or possibly just be a poorly programmed web client. In either case, it represents unusual activity that sets the user aside from everyone else. It signifies that the user is suspicious and is doing something average users do not do.