nerdexam
GIAC

GCIH · Question #677

Which of the following squid proxy log fields is easiest for an attacker to spoof?

The correct answer is D. User agent. The User-Agent field is entirely client-supplied in HTTP request headers, making it trivially easy for an attacker to set it to any arbitrary value and spoof in Squid proxy logs.

Incident Response & Cyber Kill Chain

Question

Which of the following squid proxy log fields is easiest for an attacker to spoof?

Options

  • AHTTP method
  • BSession duration
  • CTimestamp
  • DUser agent

How the community answered

(46 responses)
  • A
    7% (3)
  • B
    2% (1)
  • C
    11% (5)
  • D
    80% (37)

Why each option

The User-Agent field is entirely client-supplied in HTTP request headers, making it trivially easy for an attacker to set it to any arbitrary value and spoof in Squid proxy logs.

AHTTP method

The HTTP method is also client-controlled, but arbitrarily changing it (e.g., POST to GET) typically breaks application functionality, limiting its practical usefulness for log evasion.

BSession duration

Session duration is calculated server-side by the proxy based on observed connection timing and cannot be directly injected or spoofed by the client.

CTimestamp

Timestamps in Squid access logs are generated by the proxy server at the moment the request is processed, not supplied by the connecting client.

DUser agentCorrect

The User-Agent string is sent by the client as part of the HTTP request headers and can be set to any arbitrary value using tools such as curl, Burp Suite, or custom scripts with no server-side verification. Because the Squid proxy simply logs whatever value the client reports, an attacker can impersonate any browser, crawler, or tool without detection. This makes User-Agent the least trustworthy field in proxy logs for forensic attribution.

Concept tested: HTTP User-Agent spoofing in proxy log analysis

Source: https://wiki.squid-cache.org/Features/LogFormat

Topics

#proxy log analysis#user agent spoofing#log tampering#attacker evasion

Community Discussion

No community discussion yet for this question.

Full GCIH Practice