« Cuckoo for Cuckoo Box | Main | Island Hopping the SpiderLabs Way »

27 January 2012

Comments

Browser fingerprinting is surely a good technique, but in this day and age of AJAX and REST clients, there are going to be more and more legit requests which do not look like an IE or Mozilla one...
(Plus I think it would take 4 hours to straighten the HOIC code so that its default request matches byte by byte an IE one)

Another really nice browser fingerprinting tool is https://panopticlick.eff.org/

Another method I implemented in my ruleset is to check for "sdch" in Chrome requests' Accept-Encoding: only Chrome supports that encoding, and no other browser, which makes it perfect for this use.

I think my ruleset alone kills half those default user-agents :)

Glad to see I'm not the only one considering browser fingerprinting a valid technique... my experiment with using it as an antispam method have worked quite nicely, for what concerns my blog.

Some fake browser rejection is already implemented in my own set of rules at http://www.flameeyes.eu/projects/modsec — there is one further that here is not considered: MSIE always sends an Accept-Encoding header as well.

Also about the use of Host and HTTP/1.0 (which is another thing that suggested to me going for browser fingerprinting), no modern browser still uses HTTP/1.0, unless it's going through a proxy and is the proxy doing the downgrade. But if there is a proxy involved, it should include a Via header as well. I have used that for a while but there was some reason why I had to take it out.

I need to check Windows-based browsers, by the way, but I think a browser sending an Accept: */* might be a red flag as well.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment