Activity Processors: Header Processor

A useful technique when attacking a site is to determine what software the site is using. This is known as fingerprinting the server. There are many methods used, but the basic idea is to look for signatures that identify various products. For example, it might be a known signature that Apache always lists the Date response header before the Last-Modified response header. If very few other servers follow this same pattern, then checking to see which header comes first could be used as a means of identifying if Apache is being used or not. Other key methods include looking for Server or X-Powered-By headers that actually specify the software being used. The goal of this processor is to eliminate headers as a means of fingerprinting a server.

You can allow local machine names (non-FQDN's) in the host header by setting the parameter engine.incidents.url_fuzzing.allow_locals to true using Expert Mode or the CLI. By default, any HTTP 1.1 requests without a host header will be considered a URL manipulation because of how nginx handles lack of a host header. The reason for this difference is because the host header is required in HTTP 1.1 requests, but not required in HTTP 1.0 requests. When the nginx proxy sends the request to security engine, it realizes that the HTTP 1.1 request is invalid and adds host: localhost to the request. The URL fuzzing logic considers this malicious, as a host of 'localhost' is suspicious.

Note: While the goal of this processor is mainly to prevent fingerprinting, it can also catch some malicious behavior and erroneous behavior in the protected applications (potentially as a result of an exploit). As such, the following incidents are recognized by the processor.

Table 24: Header Processor Configuration Parameters

Parameter

Type

Default Value

Description

Basic

Processor Enabled

Boolean

True

Whether traffic should be passed through this processor.

Advanced

Header Mixing Enabled

Boolean

False

Whether this processor should shuffle the order of response headers to avoid exposing identifiable information.

Request Header Stripping Enabled

Boolean

False

Whether this processor should strip unnecessary headers in request packets to avoid sending malicious data to the server.

Response Header Stripping Enabled

Boolean

False

Whether this processor should strip unnecessary response headers to avoid giving away identifiable information.

Maximum Header Length

Integer

8192

The maximum allowed length of a header in bytes. If header stripping is enabled, then any headers that exceed this length will be removed from the request before proxying.

Known Request Headers

Collection

Collection

A list of known request headers.

Known Response Headers

Collection

Collection

A list of known Response headers.

Incident: Duplicate Request Header

Boolean

False

The application returned multiple instances of the same header, which it is never expected to do.

Incident: Duplicate Response Header

Boolean

False

The user provided multiple instances of the same header, and the header does not usually allow multiples.

Incident: Illegal Request Header

Boolean

False

The user provided a request header which is known to be involved in malicious activity.

Incident: Illegal Response Header

Boolean

False

The application returned a response header which it is never supposed to return.

Incident: Missing All Headers

Boolean

True

The user issued a request which has no headers at all. This incident only triggers on HTTP 1.1 requests (not on HTTP 1.0 requests).

Incident: Missing Host Header

Boolean

True

The application returned a response which is missing a required header. This incident only triggers on HTTP 1.1 requests (not on HTTP 1.0 requests).

Incident: Missing Request Header

Boolean

False

The user issued a request which is missing a required header.

Incident: Missing Response Header

Boolean

False

The application returned a response which is missing a required header.

Incident: Missing User Agent Header

Boolean

False

The user issued a request which is missing a required header.

Incident: Request Header Overflow

Boolean

True

The user issued a request which contained a header that was longer then the allowed maximum.

Incident: Unexpected Request Header

Boolean

False

The user issued a request which contains an unexpected and unknown header.