Help Wanted: What are these odd reuqests about?

Looking at our web honeypot data, I came across an odd new request header I hadn’t seen before: “X-Forwarded-App”. My first guess was that this is yet another issue with a proxy-server bucket brigade spilling secrets when a particular “App” is connecting to it. So I dove in a bit deeper, and found requests like this:

GET /business/appVersion/get/qr/download HTTP/1.1

Host: [honeypot IP address]

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Trailer/93.3.3570.29

Accept: application/json

Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,en;q=0.6

Content-Type: application/json;charset=UTF-8

Deviceid: 4c2e063f3def4582

Deviceinfo: android

License: doJn7HAfIo9xMsLbcEKD7ku40F2zWJjJOjgxwqFs_Hec3FdkKcgKRQFCOrf-5xxI

Phonemodel: samsung

V: 48650

X-Forwarded-App: app.F6syl6mB

Accept-Encoding: gzip

This looks like a request a mobile app would send. Some of the details, like the string following “app.”, change from request to request. The “License” header could be used as an API key (I modified it a bit in case this is a valid license).

Google’ing showed some APIs using an X-Forwarded-App header, but nothing specific that would match this request. Please let me know if you have any ideas what this request may be about.

—

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

Twitter|