HTTP response contains a space

#1

Our firewall vendor has published a threat signature update detecting Cobalt Strike potential C2 traffic where the web server returns HTTP response with a after the reason-Phrase e.g. HTTP/1.1 200 OK, instead of HTTP/1.1 200 OK

The signature has matched quite a number of websites which all are proxied through Cloudflare e.g.
www.merrell.com
www.belk.com
www.hotelchocolat.com
www.jag.com.au

Is this something Cloudflare has done deliberately? What is the reason behind that?
Thanks.

0 Likes

#2

My assumption would be this comes straight from their servers.

However, a trailing space is valid according to the specification at https://tools.ietf.org/html/rfc7230#section-3.1.2

1 Like

closed #3

This topic was automatically closed after 14 days. New replies are no longer allowed.

0 Likes