What it detects
- Detects the presence of a device that manipulated HTTP request headers
Inputs
- A backend to be used for checking the tampering
Experiment
A set of different requests are sent to the backend. Through a covert channel the client reports to the server the request it made. These are the requests that are made:
- For every HTTP request method the CaPitaLization is varied
- The content of the request is compressed using gzip and the gzip encoding header is added (Add more details?)
Control
- The backend checks if the received request matches the one that the client claims to have sent.
Output
- What kind of requests are being tampered with and the logs of the sent data and received data.
Notes
apparently they often remove the 'gzip' encoding by replacing it in-line with 'xxxx' or something similar - apparently this is to stop it from having to waste CPU on gzip decoding