Hi,
Want to know if there is any option to enumerate a web client requesting a HTTP session and get the maximum information about the web client, at least the following information:
1. MAC/Hardware address of the client
2. Computer name
3. OS type
4. IP address
5. Current user logged in or users list
Fiddler will be configured to act as reverse proxy.
Thank you,
JD
Want to know if there is any option to enumerate a web client requesting a HTTP session and get the maximum information about the web client, at least the following information:
1. MAC/Hardware address of the client
2. Computer name
3. OS type
4. IP address
5. Current user logged in or users list
Fiddler will be configured to act as reverse proxy.
Thank you,
JD
5 Answers, 1 is accepted
0
Servers (including proxies, like Fiddler), in general have a limited ability to learn information about remote clients.
+ You can easily determine a client's IP address (as it's inherent in the request itself).
- You cannot readily determine the client's OS, unless the OS information is included in the request. It happens that it often is included in the User-Agent string header sent by browsers, but this information is obviously easily spoofed.
- You cannot readily determine a client's "Computer name" unless the PC is configured in the DNS such that looking up its IP address returns the computer name.
- There's no way to determine "users list" from a request. If you prompt for authentication and if the client computer is configured to respond to authentication challenges, you may be able to determine a login username.
- You may or may not be able to determine the Mac/Hardware address of the client, depending on what networking equipment is located between the client and the server.
Regards,
Eric Lawrence
Telerik
+ You can easily determine a client's IP address (as it's inherent in the request itself).
- You cannot readily determine the client's OS, unless the OS information is included in the request. It happens that it often is included in the User-Agent string header sent by browsers, but this information is obviously easily spoofed.
- You cannot readily determine a client's "Computer name" unless the PC is configured in the DNS such that looking up its IP address returns the computer name.
- There's no way to determine "users list" from a request. If you prompt for authentication and if the client computer is configured to respond to authentication challenges, you may be able to determine a login username.
- You may or may not be able to determine the Mac/Hardware address of the client, depending on what networking equipment is located between the client and the server.
Regards,
Eric Lawrence
Telerik
Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.
0
John
Top achievements
Rank 1
Rank 1
answered on 26 Nov 2014, 04:34 AM
Firstly, Thank you for the reply.
I totally agree with your mentioned points and it will not be a Out of the box solution.
But still can we initiative a response script to gather the information when ever a client request for a session?
Many thanks,
JD
I totally agree with your mentioned points and it will not be a Out of the box solution.
But still can we initiative a response script to gather the information when ever a client request for a session?
Many thanks,
JD
0
Hello, John--
For security reasons, browsers do not expose scriptable methods that expose the information you hope to obtain.
Regards,
Eric Lawrence
Telerik
For security reasons, browsers do not expose scriptable methods that expose the information you hope to obtain.
Regards,
Eric Lawrence
Telerik
Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.
0
John
Top achievements
Rank 1
Rank 1
answered on 26 Nov 2014, 06:14 PM
Hello Eric,
I am not sure if I am getting it right.
Please correct me if i am wrong.
Sequential approach:
1. Web client requests a web session from a web server.
2. Fiddler intercepts the connection as a reverse proxy
3. Fiddler initiates a script to scan the client, like a nmap script or any other enumeration scripts. (considering there is no firewall between the fiddler and client) nmap enumerates the client and provides the OS, IP address, MAC and other information.
Thanks & Regards,
JD
I am not sure if I am getting it right.
Please correct me if i am wrong.
Sequential approach:
1. Web client requests a web session from a web server.
2. Fiddler intercepts the connection as a reverse proxy
3. Fiddler initiates a script to scan the client, like a nmap script or any other enumeration scripts. (considering there is no firewall between the fiddler and client) nmap enumerates the client and provides the OS, IP address, MAC and other information.
Thanks & Regards,
JD
0
The Session's oFlags["X-ClientIP"] property holds the connecting client's IP address. You can do with that whatever you like.
Regards,
Eric Lawrence
Telerik
Regards,
Eric Lawrence
Telerik
Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.