Geoff Jones 24 June, 2013

ResponseCoder - Manipulation Of HTTP Response Headers

ResponseCoder is designed to allow you to easily manipulate HTTP response headers - specifically to identify weaknesses in perimeter filtering appliances such as web proxies and next generation firewalls. It’s an open source PHP script that formulates HTTP response headers on-the-fly, allowing the operator to form specific test cases as necessary.

The test cases are centred around the download of a Win32 executable - a common file format that is often blocked at the perimeter to prevent unauthorised code and malware from entering the corporate environment. To test the download of ‘permissible’ files, a text file can also be specified, allowing you to concentrate on discovering the oddities of any intermediary filtering devices.

Obviously manipulation of such HTTP response headers may lead to unexpected results in your browser - redirect codes, client errors and server error codes are typical examples that may (or should) cause a browser to ignore the body of a response. Try it for yourself - a 201 in Internet Explorer for example will cause it to ignore the specified filename in the ‘Content-Disposition’ header, whilst Chrome will accept that just fine.

There are numerous tests you can conduct with HTTP response headers (take a look over at for some ideas), and this script certainly doesn't expose all possible scenarios. However it does provide a quick testing framework which is easier to use and more intuitive than NetCat.

Grab the source from GitHub -

Improve your security

Our experienced team will identify and address your most critical information security concerns.