Tuesday, August 2, 2016

Web scanning / weird HTTP headers

So there I was, scanning the web with a little Python script, looking for servers and other connected devices (you know, typical Tuesday night stuff) when I found a response that had an HTTP header with the key "X-hacker".

I've never seen that one before so I opened it up to see what the value was, thinking that surely it'll be something awesome...
X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
That's right. They're in our meetups, and discussion boards, and now recruiters are even lurking in HTTP headers.

To anyone interested in the scanning script, it's basically a modified version of this: https://gist.github.com/wybiral/8529a14092fef7e31a1c82eb65d36c60. You need a MongoDB instance for it to insert the scans into. Then you can query that MongoDB instance. I use a small web interface that groups them for quick statistics on common responses, popular server versions, etc. Yes, you'd have much better performance if you put something like ZMap in front of a parser, but this works well enough for my needs. Don't do anything I wouldn't do.