Many web applications implement custom logging functions and may log the contents of HTTP headers such as Referer and User-Agent. These headers should usually be considered as potential entry points for input-based attacks. Some web applications implement additional processing on the HTTP Referer header. For example, an application may identify that a user has reached via a search engine, and attempt to provide a customized response tailored to the user’s search query.
Some applications attempt to increase the search rankings by dynamically adding content such as HTML keywords, including strings that new users from search engines have been searching for. In this case, it may be possible to persistently inject content into the application’s responses by making a request numerous times containing a suitably crafted Referer URL.
An important trend in recent years has been for applications to display different content to users who access the web application via various devices. This is completed by inspecting the User-Agent header. As well as giving a way for input-based attacks directly within the User-Agent header itself, this behaviour provides a chance to detect an additional attack surface within the application.
By spoofing the User-Agent header for a popular mobile device, you may be able to access a simplified user interface that behaves differently than the primary interface. Because this interface is created via different code paths within the server-side application and may have been subjected to less security testing, you may recognize bugs such as XSS that do not exist in the original application interface.