0

Suppose I used the user agent header to look at which browser (if any) is being used in order to help me defend against potential CSRF attacks. While I understand that there is a myriad of CSRF defenses that don't require the user agent header, I just want to know how safe the user agent header is -- could a CSRF attacker modify it to whatever he wishes?

I know that the origin header and referer header are well-protected from such modifications, since they are forbidden headers. The user-agent header, however, does not appear to be.

Does this mean a CSRF attacker can trivially change the user-agent header? According to this, it can't be done. But I wonder why, then, it isn't listed as 'forbidden'. Is there something I'm misreading? Is it as protected as the Referer and Origin headers?

Thanks in advance.

Community
  • 1
  • 1
ineedahero
  • 488
  • 2
  • 7
  • 22
  • If you're asking if a user can spoof their user agent then the answer is yes. [Very easily.](http://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/) – Mike Cluck Nov 21 '16 at 16:54
  • What should be the advantage for a hacker to modify the user-agent header? – gus27 Nov 21 '16 at 16:55
  • Yes, a user can spoof their user agent. They can also spoof their origin header, as well as their referer header. A CSRF attacker, however, cannot spoof their origin or referer headers because they have no control over the user's browser. What about the user-agent header? – ineedahero Nov 21 '16 at 16:58
  • I'm not sure what advantage it would give the hacker. I'm just more interested in the general theory of how much power the CSRF attacker has, since I'm seeing conflicting opinions on it. It is feasible, however, that a CSRF defense may act differently depending on the type of browser, so in that case the attacker may benefit from changing it to what he wants. – ineedahero Nov 21 '16 at 17:00

1 Answers1

0

Obviously the user agent is just a request header and can easily be forged if we are talking about any request outside of a browser, or different browser extensions or tools.

With Javascript running in a browser (like for example in a CSRF scenario), the situation is mixed. With the good old XmlHttpRequest interface, it is not possible, you cannot change the User-Agent header. However, there is the new Fetch API supported by Chrome 43+, Edge 14+, Firefox 39+ and Opera 29+, but not by IE and Safari. Even among supporting browsers, there are differences.

Consider this code:

var myHeaders = new Headers();
myHeaders.append("User-Agent", "anything you like");

var setup = { method: 'GET',
               headers: myHeaders,
               mode: 'cors',
               cache: 'default' };

fetch('somefile.txt', setup)
.then(function(response) {
    return response.blob();
});

I tried this in Chrome 54.0.2840.100 on Linux, and User-Agent in the request was the default chrome user agent. However, running this in Firefox 50.0 does indeed send the custom user agent.

So apparently it should be possible according to the Fetch specification, but browsers implement this differently as usual.

Also if plugins are installed in the browsers (especially old versions of Java or Flash), those may allow forging of request headers like Referer, Origin or the user agent.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59