-=[ The content-Xontent Response parametric layout ]=- ====================================================== Triosec , SecNiche Security This abstract deals with the HTTP header manipulation that occurs by an intermediate device. The problem that I have faced is explained as underlined: -=[ Explanation ]=- ==================== During pen test I have confronted with a something different approach in which Content header is changed to Xcontent in the HTTP response. The change of HTTP specifier in this way clearly indicates some intermediate device has tempered the parameters. This is because : 1. Microsoft IIS web server do not show this kind of behavior. 2. Even Apache [httpd] donot exhibit this. Some of the Examples: -=[Example 1: Testing Squid]=- =============================== HTTP/1.0 403 Forbidden Server: squid/2.5.STABLE12 Mime-Version: 1.0 Date: Sat, 11 Aug 2007 14:23:19 GMT Content-Type: text/html Content-Length: 1229 Expires: Sat, 11 Aug 2007 14:23:19 GMT X-Squid-Error: ERR_TRANS_DENIED 0 Connection: close [No Change in content parameter] -=[Example 2: Testing Microsoft IIS]=- ======================================= HTTP/1.1 200 OK Server: Microsoft-IIS/5.1 Date: Sun, 13 Nov 2005 04:34:17 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Sun, 13 Nov 2005 04:31:16 GMT ETag: "608fa7aaf8ebc51:c61" Content-Length: 38 [No Change in content parameter] -=[Example 2: Testing Apache]=- =============================== HTTP/1.1 200 OK Date: Tue, 10 July 2007 03:01:36 GMT Server: Apache Connection: close Content-type: text/plain [No Change in content parameter] -=[The Strange Response]=- ============================= HTTP/1.0 404 Not Found\r\n Xontent-Length: \r\n Server: thttpd/2.25b 29dec2003\r\n Content-Type: text/html; charset=iso-8859-1\r\n Last-Modified: Tue, 05 Jul 2007 17:01:12 GMT\r\n Accept-Ranges: bytes\r\n Cache-Control: no-cache, no-store\r\n Date: Tue, 05 Jun 2007 17:01:12 GMT\r\n Content-Length: 329\r\n Connection: close\r\n \r\n This indicates clearly HTTP intermediate device has been encountered. No doubt the server is httpd but the response is modified by a balancing device. ========== Zknk