LinuxQuestions.org - Client browser add-on detection

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Client browser add-on detection (https://www.linuxquestions.org/questions/linux-security-4/client-browser-add-on-detection-636661/)

Client browser add-on detection

I know that a web server can detect the type of browser that is being used. Can a web server detect add-ons that are used by those browsers? If so, how?

Quote:

Originally Posted by gliesian (Post 3127360)

I know that a web server can detect the type of browser that is being used. Can a web server detect add-ons that are used by those browsers? If so, how?

Are you trying to do this or protect yourself from having it done to you?

I believe it depends on the browser's design, but someone please correct me if I'm wrong. It's definitely not something to be taken lightly, as in most cases it would be considered a security vulnerability (information disclosure) IMHO. IIRC Firefox has been affected by this issue in the past, and it was consequently patched due to the security implications.

So, unless a browser specifically provides this as a feature, you'd need to exploit it in order to get your hands on this information. And in that case, a discussion regarding a "how" would not be compatible with the LQ Rules. This is just something I would like our members to keep in mind when replying to your question.

As far as a legit way to do it, I think you could probably create a Firefox extension which does this. Users could then install it at their own risk if they so wish. Of course, the extension developer would need to document the method which the server would need to use to query the browser for the details.

Client (Browser) info.

Quote:

Originally Posted by win32sux (Post 3127427)

You've answered my question... thanks.

I am curious though, how does the web server know what browser is being used? I guess it's sent in the connection messages.

I guess it's these five things (IP Address, remote port, browser cookie, browser name, browser licensee); http://www.red-squirrel.com/cgi-bin/env.cgi

Quote:

Originally Posted by win32sux (Post 3127427)

It's definitely not something to be taken lightly, as in most cases it would be considered a security vulnerability (information disclosure) IMHO. IIRC Firefox has been affected by this issue in the past, and it was consequently patched due to the security implications.

IIGC the FF extension one had to do with chrome:// URIs. (Gotta love the browser that renders everything *plus* the kitchensink.) See the ha.ckers site, they do a pretty good job explaining all sorts of FF "goodies".

Quote:

Originally Posted by gliesian (Post 3127848)

I am curious though, how does the web server know what browser is being used? I guess it's sent in the connection messages.

The browser specs are in the UA or "User Agent" string the application sends. Servers can not depend on it because often apps have ways to "d|refine" the UA at compile time, through config files (Privoxy: hide-user-agent{}) or on the CLI (wget, mplayer: --user-agent).