|
|
'''What it detects'''
|
|
|
**What it detects**
|
|
|
|
|
|
* Detects the presence of a device that manipulated HTTP request headers
|
|
|
|
|
|
'''Inputs'''
|
|
|
**Inputs**
|
|
|
|
|
|
* A backend to be used for checking the tampering
|
|
|
|
|
|
'''Experiment'''
|
|
|
**Experiment**
|
|
|
|
|
|
A set of different requests are sent to the backend. Through a covert channel the client reports to the server the request it made.
|
|
|
These are the requests that are made:
|
... | ... | @@ -14,15 +14,15 @@ |
|
|
* For every HTTP request method the CaPitaLization is varied
|
|
|
* The content of the request is compressed using gzip and the gzip encoding header is added (Add more details?)
|
|
|
|
|
|
'''Control'''
|
|
|
**Control**
|
|
|
|
|
|
* The backend checks if the received request matches the one that the client claims to have sent.
|
|
|
|
|
|
'''Output'''
|
|
|
**Output**
|
|
|
|
|
|
* What kind of requests are being tampered with and the logs of the sent data and received data.
|
|
|
|
|
|
'''Notes'''
|
|
|
**Notes**
|
|
|
|
|
|
apparently they often remove the 'gzip' encoding by
|
|
|
replacing it in-line with 'xxxx' or something similar - apparently this
|
... | ... | |