6

Our app server got some strange request, http headers like:

"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "3177",
"Host": "xxxxxxxxx",
"Accept": "*/*",
"Accept-Encoding": "gzip",
"Msisdn": "12345678",

And the http post body read using file_get_contents('php://input') was beginning with:ISDN: 12345678\r\n\r\n

The Msisdn entity header and ISDN: 12345678\r\n\r\n were not sent by out app client.

Our app written in cpp using libcurl to deal with http request. I really do not know what has happened now. Especially the ISDN: 12345678\r\n\r\n in post body content.

All suggestions are welcome.

UmNyobe
  • 22,539
  • 9
  • 61
  • 90
timestee
  • 1,086
  • 12
  • 36
  • Are you sure the request came from your application? – Barmar Sep 30 '17 at 08:59
  • `ISDN` is a mobile phone number, so I think that header is sent by mobile apps. – Barmar Sep 30 '17 at 09:01
  • Maybe proxy server on the mobile network is adding the header. But it shouldn't modify the post body. – Barmar Sep 30 '17 at 09:03
  • Not really sure the request came from my application, and out app runs on both iOS and Android, it happened dozens of times a day, – timestee Sep 30 '17 at 09:04
  • @Barmar proxy server maybe add headers, but the post body changed too. – timestee Sep 30 '17 at 09:05
  • That's completely invalid, but I'm not sure there's anything you can do about it. – Barmar Sep 30 '17 at 09:07
  • Now i could do nothing at all, the post body has been cut off, it cannot be properly decoded. – timestee Sep 30 '17 at 09:10
  • @zsounder libcurl will not modify your http request by its own accord. Anything your server receives is added either by the client or by some relayer in the network – UmNyobe Feb 19 '18 at 10:15
  • there's an interesting discussion here. Would the MSISDN header be set by a network provider if the client was using a mobile phone as a wifi hotspot? https://stackoverflow.com/questions/8428422/detect-an-msisdn-mobile-number-with-the-browser – codebrane Feb 19 '18 at 14:44
  • Is the communication happening over HTTP or HTTPS? You should put it on back of HTTPS using Nginx or something and see if it helps – Tarun Lalwani Feb 20 '18 at 03:19
  • @TarunLalwani its over HTTP – timestee Feb 24 '18 at 07:49
  • @UmNyobe agree with you, not a big deal to add MSISDN header, but seems the post body changed – timestee Feb 24 '18 at 07:51
  • @zsounder, I would suggest you put behind Nginx and protect it using HTTPS and see if that helps. Then may be you wont see such probelms – Tarun Lalwani Feb 24 '18 at 07:51
  • @TarunLalwani We can not change to HTTPS for all requests for historic reasons. – timestee Feb 26 '18 at 03:26

1 Answers1

0

Clients can add whatever headers they want, as can proxy servers. This header is added in by some mobile networks for all requests.

Detect an MSISDN (mobile number) with the browser

Ryan Gooler
  • 2,025
  • 1
  • 13
  • 14
  • Not a big deal to add MSISDN Or calling-line-id, the thing is the post body had been changed too. – timestee Feb 24 '18 at 07:53
  • Then change to HTTPS so the data can't be changed by a MITM proxy on the wireless provider's side. – Ryan Gooler Feb 26 '18 at 01:50
  • We can not change to HTTPS for all requests for historic reasons. – timestee Feb 26 '18 at 03:26
  • Then you are accepting that your traffic can be man in the middle'd and altered. And you're exposing every bit of data over this API to being read and modified in transit - which will cause more issues like this in the future. Your historic reasons will be biting you for the foreseeable future, but thats your project. – Ryan Gooler Feb 27 '18 at 09:09