Looking at our web honeypot data, I came across an odd new request header I hadn't seen before: "X-Forwarded-App". My first guess was that this is yet another issue with a proxy-server bucket brigade spilling secrets when a particular "App" is connecting to it. So I dove in a bit deeper, and found requests like this:

GET /business/appVersion/get/qr/download HTTP/1.1
Host: [honeypot IP address]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Trailer/93.3.3570.29
Accept: application/json
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,en;q=0.6
Content-Type: application/json;charset=UTF-8
Deviceid: 4c2e063f3def4582
Deviceinfo: android
License: doJn7HAfIo9xMsLbcEKD7ku40F2zWJjJOjgxwqFs_Hec3FdkKcgKRQFCOrf-5xxI
Phonemodel: samsung
V: 48650
X-Forwarded-App: app.F6syl6mB
Accept-Encoding: gzip

This looks like a request a mobile app would send. Some of the details, like the string following "app.", change from request to request. The "License" header could be used as an API key (I modified it a bit in case this is a valid license).

Google'ing showed some APIs using an X-Forwarded-App header, but nothing specific that would match this request. Please let me know if you have any ideas what this request may be about.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|