问题
Doing web traffic and log analysis, but there are a lot of malformed headers being passed from clients. These have characters transposed or replaced with "x"'s.
Does anyone know where they come from or why? Is this some kind of attempt at security, or something more nefarious?
Examples:
xroxy-connection: Keep-Alive cneoction: close nncoection: close ocpry-connection: Keep-Alive pxyro-connection: close proxy-~~~~~~~~~~: ~~~~~~~~~~ x-xorwarded-for: 000.00.00.000 Referer: http://www.example.xom/nxws/article/2009-1x-21/?cid=4xxx00x2-0x60x3x0
回答1:
Check out the Missed Cneonctions section of Fun With HTTP Headers. The author thinks:
I now believe this is something done by a hackish hardware load balancer trying to “remove” the connection close header when proxying for an internal server. That way, the connection can be held open and images can be transmitted through the same TCP connection, while the backend web server doesn’t need to be modified at all.
回答2:
A Google search for "xroxy-connection" turns up a security advisory on Kerio Winroute Firewall which replaces the first character in a header with an X for some reason.
The letter transposition is probably a similar proxying issue, if I had to take a guess.
来源:https://stackoverflow.com/questions/1628593/http-headers-from-some-clients-have-characters-randomly-replaced