All geek questions in one place

Changed URL Parameters in IE9

I see changed URL parameters coming from IE9 desktop clients. Links are sent by email and all changed URLs come from a text version of the email.

I am pretty sure that this has nothing to do with my stack (django, nginx, mandrill). Parameter values ​​have exactly portable characters. The original character is minus 13 places (for example, rznvy_cynva= email_plain, ubgryfpbz= hotelscom).

Here is one example of a garbled request that went through:

GET /book/48465?sid=rznvy_cynva&order=q09362qs55-741722-442521-98n2-n88s4nnr87192n&checkOut=07-17-15&affiliate=ubgryfpbz&checkIn=07-16-15 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  • All requests with malformed URLs have the same user agent as in the example.
  • The IP addresses associated with the changed URLs are not limited to any location.
  • Raising the user agent, this is apparently limited to users of Windows 7, IE9.
+4
source share
2 answers

This is antivirus software on recipient computers. It receives links and crawls your pages for possible vulnerabilities. It uses rot13 obfuscation to ensure that it does not take any unwanted actions ("buy now", etc.).

https://security.stackexchange.com/questions/48684/help-investigating-potential-website-attack-url-rewriting-and-rot-13-obfuscatio

The solution is to keep track of which antivirus software / company is scanning and, if possible, make your site “white”.

+7
source

, , , , ...

rot13 . :

  • - , " ", "" .., . , ?

  • , , , ; - HTTP, URL- GET . (POST-, , ?)

, IP-, -, , , , TOR .

+1

Source: https://habr.com/ru/post/1606638/

More articles:


All Articles