1

I am working with a website running on IIS8.5 and I am seeing a set of requests with what I will call "WS" request headers showing up in the serverVariables collection as follows:

HTTP_WSHOST
HTTP_WSIP
HTTP_WS_IP
HTTP_WS_AUTH
HTTP_WS_VER
HTTP_X_WS_VER
HTTP_X_WS_EP_VER
HTTP_X_WS_AUTH
HTTP_X_WS_TSP_PROTOCOL_VERSION

I have done some searching, and all I can come up with is that HTTP_WSHOST and HTTP_WSIP are used by DomainTools crawler, and that in general, they might be related to WebSockets.

What are these headers commonly used for, and where might I find specs for each?

GWR
  • 165
  • 5
  • I do not have the answer, but this seems clearly specific to IIS webserver. Where exactly do you see these headers? There are maybe due to some specific configuration of your webserver. – Patrick Mevzek Nov 25 '17 at 23:41
  • They are not. They are HTTP request headers from clients making web requests to the server. – GWR Nov 26 '17 at 02:42
  • Which clients? Any specific one? Did you run a trace on the network, like tcpdump if they are HTTP? – Patrick Mevzek Nov 26 '17 at 02:47
  • It is a public-facing web application, so I don't have any way to determine with certainty the client, other than the 'User-Agent' header. This is commonly spoofed, so I don't rely on it. As noted in the question, `HTTP_WSHOST` and `HTTP_WSIP` are sent by the domaintools.com crawler, and I have reached out to them to inquire. I don't expect a response though. The others don't follow any pattern by which I can make any determination as to their origin. I was just thinking someone here might have some knowledge on them (as they have in the past on similar questions) – GWR Nov 26 '17 at 14:52
  • It would help maybe if you provide an example of what you see, with headers and values. It could as well by "leaked" headers by the application. – Patrick Mevzek Nov 26 '17 at 15:05

2 Answers2

0

The X-WS-Ver, X-WS-EP-Ver and X-WS-Auth headers are used by the Websense Endpoint Proxy Agent (documentation, herdProtect page). Requests from this proxy have a user agent of WsNetFlt/1.0.

The Websense Endpoint Proxy Agent is used in organizations to filter web requests made by members, maybe because they want to selectively block some websites. It can also be used to authenticate web requests from devices outside the organization's network, e.g. if an employee is working from home.

Jack Taylor
  • 101
  • 1
0

Clearly confusing the most, HTTP headers here are in the internal IIS Server Variables format. All the HTTP headers are in variables ALL_RAW & ALL_HTTP, prefixed with HTTP_ and capitalized. Therefore, the raw HTTP headers are better for searching their source, and they'd look like this:

X-WS-Ver: 1.0 
X-WS-EP-Ver: 1.4.7.8.1733 
X-WS-Auth: <long hex string>

My best guess would be these are from some WS-Security implementation through HTTP headers. That may be used for some kind of single sign-on (SSO) / federation, but there isn't any clear definition of using them. In any case, I find that the abbreviation "WS" likely refers to Web services, rather than WebSockets.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122