Disappearing Websites

Last night I was out with some friends discussing various security stuff.  One of my friends, kind of as a joke, suggested that if we started to manipulate HTTP response codes, headless scanners would get confused and go away.

He was right.

Tonight I got bored and thought it’d be fun to make a website disappear.  It’s actually a fairly simple trick, all one needs to do is change the 200 response codes on server responses to 404– and poof!

The code for it is very simple (although this only works locally**):

So– You might be thinking, so what?

Well, scanners generally check a status code before attempting to parse the content that comes back.  This means that in many cases, the scanner will ignore the content entirely and move on.  Under the default settings in burp for instance, when you try to spider a site like this– it disappears.

Yes, in burp you can change the display options under filters– but other scanners don’t always have the ability to toggle how it deals with 404s.  Nikto will ignore the robots.txt file if it 404s unless you modify the plugin.  And if you weren’t expecting this already– why would you change settings to show more data that is in most cases irrelevant?

Now I recognize this isn’t a production scale bit of hackery, especially as this can run havoc in browsers as well (http://support.microsoft.com/kb/218155).  But in cases where I don’t care about SEO, I am willing to pad my responses to not get the friendly 404s, and I don’t care about a users browsing history– it’s so far fairly effective at getting itself ignored.


** IIS has a “feature”? that when you change the status code from a 200 to a 404 it appears to throw an exception.  In the case of the above HttpModule, it tries to modify the HTTP headers and send the request again which causes it to bomb for real.  For some reason when I test this on my localhost, I have no issues at all.  When I test it off my local-subnet it actually 404s.  I believe output buffering will solve this problem– however since it’s just a PoC I am going to call it good enough.




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: