php nginx server got strange header and post data from http request

About

Asked 30/9, 2017 at 8:54 Answered 20/2, 2018 at 9:25

Our app server got some strange request, http headers like:

"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "3177",
"Host": "xxxxxxxxx",
"Accept": "*/*",
"Accept-Encoding": "gzip",
"Msisdn": "12345678",

And the http post body read using file_get_contents('php://input') was beginning with:ISDN: 12345678\r\n\r\n

The Msisdn entity header and ISDN: 12345678\r\n\r\n were not sent by out app client.

Our app written in cpp using libcurl to deal with http request. I really do not know what has happened now. Especially the ISDN: 12345678\r\n\r\n in post body content.

All suggestions are welcome.

Brookebrooker answered 30/9, 2017 at 8:54 Comment(14)

Are you sure the request came from your application? – Fransis 30/9, 2017 at 8:59

ISDN is a mobile phone number, so I think that header is sent by mobile apps. – Fransis 30/9, 2017 at 9:1

Maybe proxy server on the mobile network is adding the header. But it shouldn't modify the post body. – Fransis 30/9, 2017 at 9:3

Not really sure the request came from my application, and out app runs on both iOS and Android, it happened dozens of times a day, – Brookebrooker 30/9, 2017 at 9:4

@Fransis proxy server maybe add headers, but the post body changed too. – Brookebrooker 30/9, 2017 at 9:5

That's completely invalid, but I'm not sure there's anything you can do about it. – Fransis 30/9, 2017 at 9:7

Now i could do nothing at all, the post body has been cut off, it cannot be properly decoded. – Brookebrooker 30/9, 2017 at 9:10

@zsounder libcurl will not modify your http request by its own accord. Anything your server receives is added either by the client or by some relayer in the network – Hasson 19/2, 2018 at 10:15

there's an interesting discussion here. Would the MSISDN header be set by a network provider if the client was using a mobile phone as a wifi hotspot? #8428922 – Dyan 19/2, 2018 at 14:44

Is the communication happening over HTTP or HTTPS? You should put it on back of HTTPS using Nginx or something and see if it helps – Pyrrha 20/2, 2018 at 3:19

@TarunLalwani its over HTTP – Brookebrooker 24/2, 2018 at 7:49

@Hasson agree with you, not a big deal to add MSISDN header, but seems the post body changed – Brookebrooker 24/2, 2018 at 7:51

@zsounder, I would suggest you put behind Nginx and protect it using HTTPS and see if that helps. Then may be you wont see such probelms – Pyrrha 24/2, 2018 at 7:51

@TarunLalwani We can not change to HTTPS for all requests for historic reasons. – Brookebrooker 26/2, 2018 at 3:26

Clients can add whatever headers they want, as can proxy servers. This header is added in by some mobile networks for all requests.

Detect an MSISDN (mobile number) with the browser

Kira answered 20/2, 2018 at 9:25 Comment(4)

Not a big deal to add MSISDN Or calling-line-id, the thing is the post body had been changed too. – Brookebrooker 24/2, 2018 at 7:53

Then change to HTTPS so the data can't be changed by a MITM proxy on the wireless provider's side. – Kira 26/2, 2018 at 1:50

We can not change to HTTPS for all requests for historic reasons. – Brookebrooker 26/2, 2018 at 3:26

Then you are accepting that your traffic can be man in the middle'd and altered. And you're exposing every bit of data over this API to being read and modified in transit - which will cause more issues like this in the future. Your historic reasons will be biting you for the foreseeable future, but thats your project. – Kira 27/2, 2018 at 9:9

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags