[Full-Disclosure] Re: Web server http protocol version support

From: Maarten Van Horenbeeck (maarten_at_daemon.be)
Date: 11/12/04

  • Next message: Todd Towles: "RE: [Full-Disclosure] IE is just as safe as FireFox" 
    To: marc.ruef@computec.ch
Date: Fri, 12 Nov 2004 14:48:13 +0000 (GMT)

    Hi Marc,

    In RFC 2616, describing version 1.1 of the Hypertext Transfer Protocol, it
    is described that the specification expects HTTP/1.1 servers to respond
    appropriately with a message in "the same major version used by the
    client". However, this is not in compliance with another RFC, 2145,
    which explicitly states that a server should send the highest version it
    supports, but "may" send a lower version in case it is suspected that the
    client may not handle the higher version correctly.

    This means that an HTTP/0.9 request is usually responded to with an
    HTTP/0.9 reply. An HTTP/1.0 request can be responded to with either an
    HTTP/1.0 or HTTP/1.1 reply. This is done because in versions prior to
    "major version" 1, no version numbers where used, which would make it
    harder for a 0.9 version to identify the server side.

    A while back I tested this on a number of web servers. When sending an
    HTTP/0.9 request to an Apache 1.3.31 or SunONE web server, I did in fact
    receive an HTTP/0.9 reply. These are easy to identify as they don't even
    contain headers or a version number, just the pure html. When I did the
    same with an IIS 5 or 6, I received an HTTP/1.1 reply. Both of these are
    acceptable, but the Apache/SunONE response is technically "more correct",
    as it avoids client interpretation problems.

    I've used this quite often to identify a web server when the Server:
    header has been obfuscated. Used together with other items specific to
    certain server types (encoding, default settings such as keepalive), this
    is quite reliable.

    Cheers,
    Maarten 

    --
Maarten Van Horenbeeck, GCIA <maarten@daemon.be>
http://www.daemon.be/maarten
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Todd Towles: "RE: [Full-Disclosure] IE is just as safe as FireFox"

    Relevant Pages

    • Re: virus mail ignores MX?
      ... are not very clear about RFCs, even if the RFC had specified a MUST, ... an intelligent guess that a backup MX server is probably not as well ... >> When I see virus mail header, ... >> pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: WSGI spec clarification regarding exceptions
      ... impossible to replace the response with a 500 error or somesuch, ... Because the WSGI specification requires that a WSGI adapter for a web ... Now depending on the web server being used, all the client may see is ...
      (comp.lang.python)
    • Re: FtpWebRequest Passive Mode Problem
      ... Sorry about the error in my assertion that the port is not necessarily ... changed by the server. ... RFC and some articles on NAT/Proxy configurations, ... When using an ftpd behind a NAT ...
      (microsoft.public.dotnet.framework)
    • RE: Distributed spam-based DoS in progress
      ... Hugo van der Kooij quotes two different sections of current SMTP RFC in ... response to my challenge to cite where in the RFC the behavior he ... SMTP-based inbound antivirus scanners and spam scanners such as ... SpamAssassin in front of a Microsoft Exchange server. ...
      (Incidents)
    • Re: UTF8 beim FTP-Protokoll
      ... Der von Dir gelinkte Draft vom RFC ist doch ganz eindeutig ... | feature to determine if a server supports ... ueberprueft ob bei FEAT ein UTF8 ...
      (de.comp.lang.c)