Welcome to WebmasterWorld Guest from 54.197.116.116

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

MSIE 11 odd UA string

like gecko

   
8:55 pm on Feb 12, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



I have just received a complaint from a legitimate user that they were refused access to one of my hosted sites. The UA string, below, was sent with a reasonable header except for HTTP/1.0, which I think was the actual cause of blocking.

To ensure future accesses I need to update for the MSIE 11 string but that's trivial. The HTTP protocol is worrying. Does anyone else have experience of this UA and it's HTTP/1.0-1 protocol?

User-Agent:
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

From MS' blog...

[blogs.msdn.com...]
IE11's Default UA String

By default, Internet Explorer 11 on Windows 8.1 sends the following User-Agent string:

Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

This string is deliberately designed to cause most UA-string sniffing logic to interpret it either Gecko or WebKit. This design choice was a careful one—the IE team tested many UA string variants to find out which would cause the majority of sites to “just work” for IE11 users.

It goes on to discuss adding such things as .NET4.0E; .NET4.0C; into the UA between the Trident identifier and the rv version. Thus the actual UA is still similar to the old one in some respects. There is also the Compatibility mode which removes the new syntax and reverts to the old one, so one can never really be sure what to expect.

The sniffing referred to is .NET's means of returning the correct web site content. It has nothing to do with real life UA detection. With respect to MS, they might have considered a better method than tacking "like gecko" onto the end of the UA in such a cavalier fashion instead of implementing it properly, as other browsers do.

I wonder how this user (or any other!) managed to send the default UA rather than the .NET version, given that all MS operating systems, as far as I know, include .NET stuff.

I wonder how long before the first abusers cotton on to this UA?

[edited by: incrediBILL at 9:07 pm (utc) on Feb 22, 2014]
[edit reason] formatting and linking [/edit]

2:23 pm on Apr 28, 2014 (gmt 0)

5+ Year Member



I wonder how long...


I first picked up this exact string 9 days ago. Been seeing short bursts of it every other day since.

Without exception, these were trickle-style dictionary attacks against a WordPress site's admin account.

Coming from a handful of IPs, all but one being in recently-announced CIDR subnets.