@michelamarie @Edent As it happens I pushed a pull request to CRS (the OWASP ModSecurity Core Rule Set project) lately. It's about almost 2K bad user agents.
https://github.com/coreruleset/coreruleset/pull/3202
Headless Chrome is on the list.
It's been a lot of work, but here is the PR that brings new rules to inspect the user-agent of clients: We have 3 existing rules focusing on the user agent. 913100 and two PL2 stricter siblings: 9...
I've consolidated a list of security scanners user agents. Many modern one send a fake UA. But some don't. Here is the list - minus public security services such as ssllabs; all lowerkey and abbreviated to essential keyword:
betabot
bewica-security-scan
dirbuster
fimap
gobuster
havij
hexometer
jbrofuzz
jorgee
libwhisker
masscan
massscan
morfeus fucking scanner
nessus
netlab360
netsparker
nikto
nmap
nuclei
openvas
sitelockspider
sqlmap
sysscan
w3af.org
webbandit
webshag
wfuzz
whatweb
wprecon
wpscan
zgrab
zmeu
I've gone through many, many different sources. Did I miss anything?
1st real use case for chatgpt where it allows me to perform something I would not attempt without assistance:
Qualify a list of ~2K user agents I grabbed from github. Chatgpt tells me if they are popular at all and what their use case is.
Working with the CLI by @mmabrouk_.
The video of my @1ns0mn1h4ck keynote
"Crazy Incentives And How They Drive Security Into No Man's Land"
is now online.
Watch this if you believe in Bug Bounties, pie charts or if you think the shepherd got bad press when he cried wolf too often.
