[thelist] user agent spoofing security issues?

Shawn K. Quinn skquinn at speakeasy.net
Wed Feb 7 15:59:39 CST 2007

On Wed, 2007-02-07 at 10:00 -0500, Brian Cummiskey wrote:
> are there security issues (sql injection specifically)
> involved with storing the user agent?  Just how far can the
> user agent be changed?

It doesn't even have to be present. My current Privoxy config usually
changes User-Agent to "Privoxy/3.0 (Anonymous)" except for a couple of
cases, where it's changed to "Sorry, Not Available Unless You're Sitting
At My Computer" or "Mozilla/9.0 (compatible with the nosy bot at
***.com)". Lynx also lets you change User-Agent at will, and the last
time I used Opera, it did as well.

I would not trust User-Agent to accurately identify the browser being
used, even if it is present. It at least was commonplace at one time for
other browsers to spoof the IE User-Agent string to bypass stupid
detection scripts; I would like to think these are nearly extinct, but
at least the site for the CVS drugstores (at the obvious place)
knowingly rejected some browsers if they didn't match the "webmaster"'s
idea of a browser according to the User-Agent.

Shawn K. Quinn <skquinn at speakeasy.net>

More information about the thelist mailing list