homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

MSIE 11 odd UA string
like gecko

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member

Msg#: 4644564 posted 8:55 pm on Feb 12, 2014 (gmt 0)

I have just received a complaint from a legitimate user that they were refused access to one of my hosted sites. The UA string, below, was sent with a reasonable header except for HTTP/1.0, which I think was the actual cause of blocking.

To ensure future accesses I need to update for the MSIE 11 string but that's trivial. The HTTP protocol is worrying. Does anyone else have experience of this UA and it's HTTP/1.0-1 protocol?

Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

From MS' blog...

IE11's Default UA String

By default, Internet Explorer 11 on Windows 8.1 sends the following User-Agent string:

Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

This string is deliberately designed to cause most UA-string sniffing logic to interpret it either Gecko or WebKit. This design choice was a careful one—the IE team tested many UA string variants to find out which would cause the majority of sites to “just work” for IE11 users.

It goes on to discuss adding such things as .NET4.0E; .NET4.0C; into the UA between the Trident identifier and the rv version. Thus the actual UA is still similar to the old one in some respects. There is also the Compatibility mode which removes the new syntax and reverts to the old one, so one can never really be sure what to expect.

The sniffing referred to is .NET's means of returning the correct web site content. It has nothing to do with real life UA detection. With respect to MS, they might have considered a better method than tacking "like gecko" onto the end of the UA in such a cavalier fashion instead of implementing it properly, as other browsers do.

I wonder how this user (or any other!) managed to send the default UA rather than the .NET version, given that all MS operating systems, as far as I know, include .NET stuff.

I wonder how long before the first abusers cotton on to this UA?

[edited by: incrediBILL at 9:07 pm (utc) on Feb 22, 2014]
[edit reason] formatting and linking [/edit]



5+ Year Member

Msg#: 4644564 posted 2:23 pm on Apr 28, 2014 (gmt 0)

I wonder how long...

I first picked up this exact string 9 days ago. Been seeing short bursts of it every other day since.

Without exception, these were trickle-style dictionary attacks against a WordPress site's admin account.

Coming from a handful of IPs, all but one being in recently-announced CIDR subnets.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved