I'm seeing occasional mysterious POST requests without Content-Types

July 6, 2018

Sometimes I go out of my way to turn over rocks in the web server logs for Wandering Thoughts, but other times my log monitoring turns them over for me. The latter is how I know that Wandering Thoughts has been seeing periodic bursts of unusual POST requests that don't appear to have a Content-Type. I saw another such burst today, so I'm going to write this one up.

Today's burst is six requests from a single IP (86.139.145.21), POST'ing to a single entry between 12:55:12 and 12:56:08. In fact there were two burst of three POSTs each, one burst at 12:55:12 and 12:55:13 and the second at 12:56:08. DWiki's logging say that all of them lacked a Content-Type but it didn't record any other details. This specific IP address made no other requests today, or even in the past nine days. On July 2nd, it was nine POSTs to this entry from 59.46.77.82 in three bursts of three, at 21:36:20, 21:42:2[12], and 21:53:35. Both IPs used a very generic User-Agent that I believe is simply the current Chrome on Windows 10.

In all of the cases so far, the POSTs are made directly to the URL of a Wandering Thoughts entry, not to, say, the 'write a comment' page. This is noteworthy because I don't have any forms or other links that do POST submissions to entry URLs; all references to entry URLs are plain links and thus everyone should be using GET requests. Anything that's deciding to make these POST requests is making them up, either by mistake or through some maliciousness.

(In the past I've seen zero length POSTs with a valid HTML form content-type, which I believe were also for regular entry URLs although past me didn't write that explicitly in the entry.)

There's a part of me that wants to augment DWiki's logging to record, say, the claimed Content-Length for these POST requests so I can see if they claim to have content or if they're 0-length. Probably this is going further in turning over rocks than I want to, unless I'm going to go all the way to logging the actual POST body to try to see what these people are up to.

(Apparently POSTs without a Content-Type are technically legal and you're supposed to interpret the contents as the generic application/octet-stream (unless you want to attempt to guess by inspecting the data, which you don't). See eg here, pointing to the HTTP 1.1 specification. However, all of my POST forms properly specify the content-type the browser should use, so this shouldn't be happening even for proper POST requests to valid POST URLs.)

PS: Apache probably accepts POSTs with no Content-Type to static, GET-only resources because Apache will accept pretty much anything you throw at it. DWiki is more cautious, although that's basically become a mistake.


Comments on this page:

By Jukka at 2018-07-06 06:22:47:

Though not relevant to what you're seeing, zero-length POSTs are one way to do third-party user tracking (a.k.a. web beacons). I think there is even a WC3 draft API for this.

By Nathan at 2018-07-07 01:59:03:

We received a multi days burst of malformed messages too, it looks like they were scanning for NAS server vulnerabilities. I ended up blocking the ip at the webserver level, that "fixed" the issue.

Written on 06 July 2018.
« How and why we sell storage to people here
Having your SSH server on an alternate port provides no extra security today »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jul 6 01:35:10 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.