Cатсн²² (in)sесuяitу / ChrisJohnRiley

I’ve been playing on and off over the last year with HTTP response codes (yeah, I know, I’m a sad panda). As part of my research I’ve been looking at how various browsers handle content returned with the various standard response codes (some of the newer ones aren’t supported in Apache and the like and therefore aren’t that interesting for my uses at the moment).

I setup a simple tester script (JavaScript required, sorry) that loads images from a server setup to deliver them with specific response codes. You can have a play with it yourself if you’re interested[1] (I suggest running the requests through a proxy to see the fun happen).

The results are interesting [2] and could be used for a few interesting defensive tricks I’m mulling over. There are also a few interesting applications possible when it comes to fingerprinting browsers (and scripting languages for that matter). Although this level of granularity is never going to give you a specific version of browser and list of plugins installed, it could offer a simple test for checking if the browser is Internet Explorer or Opera for example. It’s also interesting to think that scripts/tools that fake the user-agent string might be detectable using some carefully crafted response code tricks. User-Agent string are fun and all, but the old adage “trust but verify” springs to mind. I also included some details on a couple of scripting languages which are interesting. I’m certainly not foolish enough to think that these issues can’t be coded around, but it’s interesting to see the initial state of things when it comes to 3 of the more popular scripting languages (Perl, Python and Ruby).

I’ll leave it to the reader to think over further uses for this stuff… I’ve certainly got a few interesting ideas that have been keeping my brain busy for a while. Hopefully I’ll be moving forward on the research and coming up with a few interesting things in the future. Maybe even a presentation that’s NOT about SAP… that would be nice wouldn’t it 😉 It’s therapeutic to think defensively for a while. It’s especially fun when you can use defensive research to screw with script kiddies and scanner junkies <insert evil laugh here>

Note: I’m constantly updating and tweaking the results spreadsheet as I find new results… I’ve also tweaked some of the results I previously noted due to some false positives with specific browsers. If you see anything that looks wrong, just let me know!

• [1a] http://www.catch22insecurity.com/POC/testrespsupport.html –> Response Code Content Checker
• [1b] http://catch22insecurity.com/POC/respcode.php?code=200 –> Individual Response Code Checker
• [2] https://docs.google.com/spreadsheet/ccc?key=0Al9_rvxVauuJdGVRQnpfWFFVdFdobDlrUkhVaEJ3eXc