HTTP Header Manipulation Series



Author: David Zimmer

Site:   http://sandsprite.com/Sleuth

-----------------------------------------------------------------------------------



As article 4 in the http header series, we will again draw upon our previosus knowledge

and experience and introduce you to our next data field of intrest, the User-Agent string.



The User-Agent field is provided by the browser to indicate what version of browser it is

so that web developers can tailor thier content to the capabilities of the users browser.

It is also another common field to log for statistical tracking and may even be 

subsequently parsed into several data fields to further catagorize the surfer by operating

system and browsers patch level.



This opens up the exact same attack scenarios as defined in the the statistical 

processing section discussed with the referrer field, namely the possibility of Sql

or script injection.



For brevity we will not recap on the previous discussions any further and will just 

restate that any user supplied data should be suspect until proven innocent.