HTTP status codes can be used defensively to confuse scanners and script kiddies. The document discusses how different browsers interpret various status codes, and this behavior can be leveraged to fingerprint browsers or detect proxy usage. Status codes can also be used to introduce false positives and negatives in vulnerability scanners, or slow them down by returning non-standard codes from all URLs.

1. Defense by Numb3r5
Making problems for script k1dd13s
and scanner monkeys
@ChrisJohnRiley

3. “THE WISEST MAN, IS HE
WHO KNOWS, THAT HE
KNOWS NOTHING”
SOCRATES: APOLOGY, 21D

4. I LIKE EDGE CASES

6. Goals for this talk
Describe the
defensive uses of
HTTP status codes

7. 1) What
2) Why
3) How
4) Goals
5) Bringing it together
6) Review

8. WHAT?

9. HTTP STATUS CODES

11. Seems like such a
Small detail

12. … small detail,
big impact

14. This talk contains:
- Numbers
- Bad Jokes
- Traces of peanuts
- Did I mention numbers?

15. HTTP Status Codes
o Majority part of RFC 2616 (HTTP/1.1)
o 5 main classes of response
o 1XX informational
o 2XX success
o 3XX redirection
o 4XX client error
o 5XX server error

16. BASICS
AKA: THE BORING THEORY BIT

17. 1XX Informational
o Indicates response received
o Processing is not yet completed
o 100 Continue
o 101 Switching Protocols
o 102 Processing (WebDAV RFC 2518)

18. 2XX Success
o Indicates response received
o Processed and understood
o 200 OK
o 201 Created
o 202 Accepted
o 203 Non-Authoritative Information
o 204 No Content

19. 2XX Success (cont.)
o 205 Reset Content
o 206 Partial Content
o 207 Multi-Status (WebDAV RFC 4918)
o Codes not supported by Apache
o 208 Already Reported
o 226 IM Used
o 250 Low on Storage Space

20. 3XX Redirection
o Action required to complete request
o 300 Multiple Choices
o 301 Moved Permanently
o 302 Found / Moved Temporarily
o 303 See Other
o 304 Not Modified

21. 3XX Redirection (cont.)
o 305 Use Proxy
o 306 Switch Proxy
o 307 Temporary Redirect
o Codes not supported by Apache
o 308 Permanent Redirect

22. 4XX Client Error
o Client caused an error
o 400 Bad Request
o 401 Unauthorized
o 402 Payment Required
o 403 Forbidden
o 404 Not Found
o 405 Method Not Allowed

23. 4XX Client Error (cont.)
o 406 Not Accessible
o 407 Proxy Authentication Required
o 408 Request Timeout
o 409 Conflict
o 410 Gone
o 411 Length Required

24. 4XX Client Error (cont.)
o 412 Precondition Failed
o 413 Request Entity Too Large
o 414 Request-URI Too Long
o 415 Unsupported Media Type
o 416 Request Range Not Satisfiable
o 417 Expectation Failed
o 418 I’m a Teapot (WebDAV RFC 2324)

25. 4XX Client Error (cont.)
o 419 / 420 / 421 Unused
o 422 Unprocessable Entity (RFC 4918)
o 423 Locked (RFC 4918)
o 424 Failed Dependency (RFC 4918)
o 425 No Code / Unordered Collection
o 426 Upgrade Required (RFC 2817)

26. 4XX Client Error (cont.)
o Codes not supported by Apache
o 428 Precondition Required
o 429 Too Many Requests
o 431 Request Header Fields Too Large
o 444 No Response (NGINX)
o 449 Retry With (Microsoft)
o 450 Blocked by Win. Parental Controls
o 451 Unavailable For Legal Reasons

27. 4XX Client Error (cont.)
o Codes not supported by Apache
o 494 Request Header Too Large (NGINX)
o 495 Cert Error(NGINX)
o 496 No Cert (NGINX)
o 497 HTTP to HTTPS (NGINX)
o 499 Client Closed Request (NGINX)

28. 5XX Server Error
o Server error occurred
o 500 Internal Server Error
o 501 Not Implemented
o 502 Bad Gateway
o 503 Service Unavailable
o 504 Gateway Timeout
o 505 Method Not Allowed

29. 5XX Server Error (cont.)
o 506 Variant Also Negotiates (RFC 2295)
o 507 Insufficient Storage (WebDAV RFC 4918)
o 508 Loop Detected (WebDAV RFC 5842)
o 509 Bandwidth Limit Exceeded (apache ext.)
o 510 Not Extended (RFC 2274)

30. 5XX Server Error (cont.)
o Codes not supported by Apache
o 511 Network Authentication Required (RFC
6585)
o 550 Permission Denied
o 598 Network Read Timeout Error (Microsoft
Proxy)
o 599 Network Connect Timeout Error
(Microsoft Proxy)

31. OMG Enough with
the numbers
already!!!!

33. WHY?

34. It started as a simple idea…

36. … and I started to think

37. SCREW WITH
SCANNERS

38. … AND SCRIPT
K1DD13S

39. THAT SOUNDS
LIKE FUN!

40. @thegrugq 26 Feb 2013

41. @thegrugq 26 Feb 2013

42. Prior Art
- When the tables turn (2004)
- Roelof Temmingh, Haroon Meer, Charl van der Walt
- http://slideshare.net/sensepost/strikeback
- Stopping Automated Attack Tools (2006)
- Gunter Ollmann
- http://www.technicalinfo.net/papers/StoppingAutom
atedAttackTools.html

43. HOW?

44. BROWSERS HAVE
TO BE FLEXIBLE

45. THIS LEADS TO
INTERPRETATION

46. RFCS…
THEY’RE MORE OF A
GUIDELINE REALLY

47. WHAT COULD
POSSIBLY GO

48. TESTING
THE HOW OF THE THING!

49. o Restricted research to the big 3
o Internet Explorer
o Chrome / Chromium
o Firefox

50. NO… SAFARI ISN’T
IN THE TOP 10 3

51. OPERA JUMPED…
OR WAS IT PUSHED!

52. LYNX
THE UNREALISTIC OPTION

53. o MITMproxy
o Python-based
o Simple to setup proxy / reverse proxy
o Script-based actions

54. o PHP
o Ability to set response code
o Must be at the top of the PHP code
o Can be added to php.ini
o auto-prepend-file=
o Limited by web-server (apache)

55. o Testing browsers automatically
o Created PHP file to set status code
- http://c22.cc/POC/respcode.php?code=XXX

56. BROWSERS
… AND THEIR STATUS CODE HABITS

58. Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
100 X X X X d/load X X X X
101 X X X X d/load X X X X
102 X X X X d/load X X X X
200
201
202
203
204 X X X X X X X X X
205 X X X X X X
206
207
300 X
301 X X X X
302 X X X X
303 X X X X
304 X X X X X X X X X
305 X
306 X
307 X X X X

59. Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
400 X X X X
401 X X X
402 X X X
403 X X X X
404 X X X X
405 X X X X
406 X X X X
407 X Proxy Proxy Proxy X
408 X X X X X X
409 X X X X
410 X X X X
411 X X X
412 X X X
413 X X X
424 X X X
425 X X X
426 X X X

60. Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
500 X X X X
501 X X X X
502 X X X
503 X X X
504 X X X
505 X X X X
506 X X X
507 X X X
508 X X X
509 X X X
510 X X X

62. Browsers handle
most things just like
they handle a
200 OK?

63. YEP…
MOSTLY

64. o HTML Responses
o Almost all response codes are rendered by
the browser correctly
o iFrames
o Some special cases for IE, but other
browsers handle this the same as HTML

65. o JavaScript/CSS
o Limited accepted status codes
o Limited 3XX support
o Chrome is the exception here
o No support for 4XX/5XX codes

66. So we know
what browsers
interpret
differently

67. What do all
browsers have
in common?

68. o 10X code handling
o Retries
o Confusion
o Chrome / IE6 try to download the page!
o Fun on Android…
o Timeouts
o Eventually

69. o 204 No Content
o Um, no content!
o 304 Not Modified
o Again, no content

70. WHAT ABOUT
HEADERS?

71. Just because the RFC says
a specific status code
must have an associated
header doesn’t mean it
HAS to…

72. o Redirection codes (301-304, 307)
o No Location header, no redirect
o 401 Unauthorized
o No WWW-Authenticate header, no
authentication prompt
o 407 Proxy Authentication Required
o No Proxy-Authenticate header, no prompt

73. Just because the RFC says
a specific status code
shouldn’t have an
associated header
doesn’t mean it can’t…

74. o 300 Multiple Choices w/ Location Header
o Firefox/IE6 follows the redirect
o Chrome doesn’t
o More research needed in this direction

75. EACH BROWSER
HANDLES THINGS A
LITTLE DIFFERENTLY

76. I WONDER WHAT
WE CAN DO
WITH THAT!

78. GOALS

79. o Each browser handles things differently
o Use known conditions
o Handled codes
o Unhandled codes
o Browser weirdness

80. BROWSER
FINGERPRINTING

81. Firefox
o Doesn’t load JavaScript returned with a 300
‘Multiple Choices’ status code
o Other browsers tested DO (IE/Chrome)
o Request JS from server
o Respond using 300 ‘Multiple Choices’
o If JS doesn’t run in the browser - it’s FF

82. Chrome
o Loads JavaScript returned with a 307
‘Temporary Redirect’ status code
o Other browsers tested DON’T (IE/FF)
o Request JS from server
o Respond with 307 ‘Temporary Redirect’
o If JS runs in the browser - it’s Chrome

83. Internet Explorer
o Loads JavaScript returned with a 205 ‘Reset
Content’ status code
o Other browsers tested DON’T (FF/Chrome)
o Request JS from server
o Respond using 205 ‘Reset Content’
o If JS runs in the browser - it’s IE

84. o Other options to fingerprint browsers
o 300 Redirect (Chrome)
o 305/306 JavaScript (Firefox)
o 400 iFrame (Internet Explorer)
o …
o There are probably more

85. BROWSER
FINGERPRINTING
DEMO

86. USER-AGENTS
CAN BE
SPOOFED

87. BROWSER
TRAITS CAN’T

88. PROXY
DETECTION

89. Chrome
o Chrome handles proxy configuration
differently to other browsers
o 407 status code isn’t rendered
o Unless an HTTP proxy is set!
o Allows us to detect if an HTTP proxy is in use
o Just not which proxy
o Can only detect HTTP proxies ;(

90. Chrome Proxy Detection
o Request page from server
o Respond using 407 ‘Proxy Authentication
Required’
o - w/o Proxy-Authenticate header
o If Chrome responds, it’s configured to use an
HTTP proxy

92. Side-Effect: Owning Proxies
o Privoxy 3.0.20 (CVE-2013-2503)
o 407 Proxy Authentication Required
o w/ Proxy-Authenticate header
o User prompted for username/password
o Prompt appears to be from Privoxy
o Privoxy passes username/password to
remote site
o Profit???

93. BRINGING IT
TOGETHER

94. What we have
o Status codes all browsers treat as content
o Status codes all browsers can’t handle
o 10X, etc..
o Lots of browser quirks

95. What can we do
o F*ck with things
o Screw with scanner monkeys
o Make RFC lovers cry into their beer
o Break things in general

96. Let’s try to…
o Use what we’ve discovered to…
o Break spidering tools
o Cause false positives / negatives
o Slow down attackers
o The fun way!
o Blocking successful exploitation

97. BREAKING
SPIDERS

98. Simplistic view
of spiders

99. o Access target URL
o Read links / functions
o Test them out
o If true: repeat
o What is TRUE?

100. o What happens if:
o Every response is a 200
o Every response is a 404 / 500

101. 200 OK
o IF 200 == True:
o Problems!
o Never-ending spider

102. 404 Not Found
o IF 404 == False:
o More problems!
o What website?

103. 500 Internal Server Error
o Skipfish != happy fish

104. False
Positives
/Negatives

105. o Most scanners use status codes
o At least to some extent
o Initial match (prior to more costly regex)
o Speed up detection

106. o What happens if:
o Every response is a 200
o Every response is a 404 / 500
o Every response is random*
* Using codes that are accepted by all browsers as content

107. Vulnerability Baseline
o w3af
o Information  79 points
o Vulnerabilities  65
o Shells  0 shells 
o Scan time  1h37m23s

108. Every response 200 OK
o No change
o All points discovered - per baseline
o 79/65/0
o Scan time  9h56m55s
o Lots more to check ;)

109. Every response 404 Not Found
o Less to scan == Less to find
o False negatives
o 44 Information points (-35)
o 37 Vulnerabilities (-28)
o Scan time  7m13s
o Much quicker scan
o Less paths traversed

110. Every response 500
o Server error == OMG VULN!
o False positives+++
o 9540 Information points (+9461)
o 9526 Vulnerabilities (+9461)

111. Random Status Codes
o Multiple runs
o All tests produced False positives++
o avg. 619 Information points (+540)
o avg. 550 Vulnerabilities (+485)
o Avg. scan time  11m37s
o Much quicker scan

112. Random Status Codes
o Skipfish + $rand = chaos
o False Positives and False Negatives
o Scan jobs killed due to lack of resources
o Scan times
o 1st scan time  10h3m35s
o 2nd scan time  0h0m4s
o 3rd scan time  16h47m41s

113. Slowing
attackers
down!

114. What does
your WAF
really do?

115. o OMG Attack
o Return error (401?)
o Profit???

116. Why?

117. Remember that list
of status codes
browsers don’t
handle well?

118. Yeah well, scanners
don’t usually handle
them well either!

119. Especially the
1XX codes

120. o Remember LaBrea tarpit?
o Tim Liston 2001 (labrea.sourceforge.net)
o Designed to slow spread of Code Red
o Slows down scans / attackers

122. How about an
HTTP Tarpit!

124. HTTP Tarpit Scenario
o WAF detects scan / attack
o Adds source IP to “naughty” list
o All responses from the server are
rewritten
o 100|101|102 status codes only (random)
o 204|304 might also be useful (no content)

125. Let’s do
some
science!*
* Science not included

126. Nikto vs.
HTTP Tarpit

127. Baseline HTTP Tarpit
Scan time
2m 18s 14h 33m 2s
Findings
18 10

128. W3AF vs.
HTTP Tarpit

129. Baseline HTTP Tarpit
Scan time
1h 37m 23s 18m 10s
Findings
65 0

130. Skipfish vs.
HTTP Tarpit

131. Baseline HTTP Tarpit
Scan time
18m 10s 05s
Findings
Low: 2519 Low: 0
Med: 2522 Med: 0
High: 12 High: 3

132. HTTP Tarpit
o HTTP Tarpit Results*
o Slow scans (nikto)
o 340x as long
o Unreliable / aborted scans (w3af / skipfish)
o 100% less findings
* Not scientifically sound ;)

133. Blocking
successful
exploitation

134. We’ve made it
hard to find the
vulnerabilities

135. We’ve made it
time consuming
for attackers

136. Now let’s stop the
sk1dd13s using
Metasploit to pop
$hells

137. o How often does Metasploit reference
status codes?
rgrep -E 'res[p|ponse]?.code' **
rgrep -E 'res[p|ponse]?.code'
 846*
* Not scientifically sound ;)

138. Lots of
dependency on
status codes*
* yep, even the stuff I wrote

139. if (res.code < 200 or res.code >= 300)
case res.code
when 401
print_warning("Warning: The web site
asked for authentication: #{res.headers
['WWW-Authenticate'] || res.headers
['Authentication']}")
end
fail_with(Exploit::Failure::Unknown,
"Upload failed on #{path_tmp}
[#{res.code} #{res.message}]")
end

140. No match,
No shell*
* exploit dependent

141. REVIEW

142. o Using status codes to our benefit is fun
o … and useful!
o Browsers can be quirky
o Scanners / attack toolkits are sometimes
set in their ways
o Take the easy route
o Easy to fool

143. o WAFs need to get more offensive about
their defense
o More than just blocking a request with a
snazzy message
o Hacking back is bad
o Slowing down known attacks is good
o Make life harder for skiddies is pricele$$

144. o Current tools are much the same as APT
o APT (Adequate Persistent Threat)
o Only as advanced as they NEED to be

145. Countering
this research

146. o Less reliance on status codes
o More reliance on content / headers
o Pros
o Better matching / intelligence
o Cons
o Slower? (regex)
o More resource intensive

147. Questions?

148. MITMPROXY SCRIPTS AVAILABLE
GITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE

150. Thanks for coming
http://c22.cc
contact@c22.cc