Traffic characteristics are too obvious #3720
Description
@ehsandeep
Sorry, I found during my research on nuclei scanning defense that its traffic characteristics are very obvious and easy to identify and intercept. I wonder if there are any further measures to improve this issue, such as confusion? Do not use fixed headers?
sample
http/exposures/backups/zip-backup-files.yaml
GET /web.tar.bz2 HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
http/exposures/configs/zend-config-file.yaml
GET /radio/application/configs/application.ini HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
http/exposures/backups/zip-backup-files.yaml
GET /webapps.7z HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
http/exposures/backups/zip-backup-files.yaml
GET /web.z HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
And then you realize that the user agent is random, which is exactly what we expected
But by default
connection
accept
accept-language
accept-encoding
Their order and values are the same, making it easy to identify and intercept them
And there has been no introduction of AI technology yet