Risk Analysis

Risk analysis based on the user agent string

The user agent string has traditionally been a vector for attackers and spammers due to a lot of websites not handling user agent strings properly. We check if it appears dangerous (due to SQL/Command injection attempts), spammy, or "weird".

Under the risks key, you will find a JSON list named user_agent_risks. In it, if we have identified any sorts of risks in the contents of the request you sent, the API will present a list of codes here to indicate what we have found "risky" about the request. How you choose to handle some or all of them is up to you and your business logic, but we present them here for you to handle them how you will.

A example of a risky user agent is:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) <script>alert('attack'); </script> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36

And the resulting risks are:

[...] "risks": { "user_agent_risks": [ "is_weird", "is_weird_fake_version_number", "is_dangerous" ], [...]

The quickest way to see if a request is "risky" is to just look at the number of items in list; if it has any items, then you know that there is some kind of risk associated with the headers of your visitor which you just sent to the API for detection.

If you inspect the items in the list, you can quickly look for:

  • is_weird
  • is_dangerous
  • is_spam
  • is_restricted

The presence of any of these indicate that the headers you sent contain something risky.

"Weird" user agents

We have dozens of checks for different ways a user agent can seem "weird". You can simply look for the "is_weird" list item, but you'll also notice that we include a code that indicates the reason we considered it weird.

The code will start with is_weird_, and then give an indication of why the API detected it as weird. The possible codes for the things we search for are listed here.

Risk analysis based on Client Hints headers

Client Hints HTTP headers are a relatively new development in web browser technology, and in the same way that bots, scripts, and criminals can send dangerous or "weird" user agents; they have also started sending Client Hints in suspect ways too. We analyse Client Hints headers to find cases where it looks like they aren't sending them in the normal way, and raise them as risks here.