3

We're observing some strange behavior of the data send to our systems from a javascript since 9/9/2015.

The problem shows up when the query string is send to our servers. Some values of the containing parameters in the get request are shuffled.A mapping of the received data is not possible since the parameters get totally deformed.

For example the parameter 'foo=bar' gets 'foo=abr' or 'foo=rab'. Which implies that the data is still available, but the characters are not in the right order anymore. This only happens on parameters that are longer than 8 characters.

We calculate a checksum based on jenkins hash for the query string. This checksum gets transmitted correctly since the string is only 6 characters long. The GET request is sent to our systems immediately after calculation the checksum. That's why the problem shouldn't be in the javascript.

Analyzing the access logs of our servers shows that the parameters are already shuffled when they are received.

By now we could only observe this problem on Mozilla Firefox user agents in combination with Microsoft Windows operating systems. A sample of faulty requests from yesterday shows the following user agents:

  • Mozilla/5.0 (Windows NT 10.0; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
  • Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 5.1; rv:39.0) Gecko/20100101 Firefox/39.0
  • Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 6.0; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 6.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
  • Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
  • Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
  • Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

It's unlikely that these requests are any form of an attack since those requests come from a wide range of IP addresses and have a very low ratio (below 0.1 percent) of the total requests. The behavior of the clients seems to be normal as well.

There is a reddit post (https://redd.it/3lxg26) and a post on stackoverflow (https://stackoverflow.com/questions/32572264/what-might-be-shufflling-my-query-string-parameters-constructed-in-javascript) describing a similiar problem.

Is there anybody who has any suggestions about this problem? Or experiencing some similar effects on their application?

tobias
  • 31
  • 1
  • Sounds to me like a messed up rewrite rule on the server. – Barmar Sep 30 '15 at 19:11
  • If you use `tcpdump` or `Wireshark` to capture the network traffic, is the query string already scrambled? In the `param=value` strings, is it always the value that gets shuffled, or can it be the parameter name? – Barmar Sep 30 '15 at 19:13
  • The accepted answer to the SO question mentions a Firefox add-on that causes this behavior. See if the users with this problem are running Cliqz. – Barmar Sep 30 '15 at 19:18

0 Answers0