1

I am trying to write a script to test a Suricata network signature. To do this I need to simulate the same user agent as the malware. I tried the following.

$.ajaxSetup({
    beforeSend: function(request) {
        request.setRequestHeader("User-Agent","XAgent/1.");
    }
});
$.ajax({
    url: "localhost",
    type: "GET"
});

But I got the error Refused to set unsafe header "User-Agent".

I have also tried WebSocket and socket.io.js but each of those do not allow me to actually send a raw HTTP request.

What I want is a tool like telnet in the browser so I can just send the raw HTTP request and define all the fields, but this seems not possible. Is there any way I can do this?

Arminius
  • 44,242
  • 14
  • 143
  • 138
MikeSchem
  • 2,311
  • 1
  • 13
  • 36
  • 1
    Your browser should have a way of spoofing a user agent string. Google that. If that fails try netcat. – Dan Landberg Jun 09 '17 at 18:53
  • yea, I know I can spoof the user agent with a plugin, but I need to create a test page for people that are not technical to use. I can't use nc because it is also not very easy to use, even with a script it isn't installed on every computer. – MikeSchem Jun 09 '17 at 18:55
  • I'm not sure you're going to have any luck with that unless you're using some sort of ancient browser. I assume you need this to come from multiple IP addresses, or will a single one work just fine? – Dan Landberg Jun 09 '17 at 19:09
  • Browsers attempt to prevent you from doing mischievous things such as changing the user agent to something other than what the browser wants it to be. Just like they prevent you from making unauthorized cross origin requests. I'm not sure why you are surprised at that. If you go outside the browser to pretty much any other tool that can make web requests, then you can muck with them to your heart's content, but not from within the browser's controlled environment. – jfriend00 Jun 10 '17 at 06:04

1 Answers1

2

But I got the error Refused to set unsafe header "User-Agent"

Browser behavior varies here. Firefox allows unprivileged web applications to issue a custom User-Agent header to the same domain (or to other origins via CORS), but Google Chrome doesn't.

User-Agent is not in Mozilla's list of forbidden headers:

Note: The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43,) so can now be set in a Fetch Headers object, via XHR setRequestHeader(), etc.

But you will never be able to send the header cross-domain without permission. That's also why XSS flaws based on altered user-agent strings are usually not exploitable.

Beyond that, an unprivileged web application can't issue actual "raw HTTP requests" for obvious security reasons. Even if you write a browser plugin, chances are that you have to go through the respective higher-level APIs and can't entirely control HTTP requests on a byte level, as you could using netcat.

Arminius
  • 44,242
  • 14
  • 143
  • 138