Some web applications react to the User-Agent string that is passed from the web browser. The software actually selects different pages to display or different code to execute depending on what kind of browser it thinks it is talking to. cURL allows us to specify what our User-Agent string will be, thus allowing us to pretend to be any browser at all. This may allow you to simulate requests from mobile phones, Flash players, Java applets, or other non-browser software that makes HTTP requests.
# Internet Explorer on Windows Vista Ultimatecurl -o MSIE.html -A 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)' http://www.example.com/# Firefox 2.0.0.15 on MacOS Xcurl -o FFMac.html -A 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.15' http://www.example.com/# "Blazer" web browser on PalmOS devicescurl -o Palm.html -A 'Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/hspr-H102; Blazer/4.0) 16;320x320' http://www.example.com/
There is no rhyme or reason to User-Agent strings, except the vestigial “Mozilla” at the beginning of the string—a reminder of the browser wars. There are many databases and websites that collect these strings, but as a tester, you want to gather them differently. You want to find out from the developers or from the source code itself which user agents the code responds to (if any). That way you can determine how many different kinds of tests you need to do. You may want to talk to operations staff to get some of your web server logs and look at what User-Agents you’re seeing in the wild.
If you want to browse around interactively, impersonating another device. By poking around interactively, you may discover that your application does react to the User-Agent, and, therefore, you need to make some test cases based on this recipe.
Providing customized content
Yahoo! is a major website that reacts to the User-Agent string. If you choose something it doesn’t recognize, it will send a very small web page (and one that has very little JavaScript and fewer advertisements). If your User-Agent is recognizable as Internet Explorer, Firefox, or another well-known browser, Yahoo! will deliver customized content—including JavaScript that is carefully tuned to execute correctly in your web browser. One of the reasons Yahoo! does this is to provide a good-looking interface to new devices that they have never heard of before. The first person to visit http://www.yahoo.com/ with a Nintendo Wii or an Apple iPhone got a generic page that probably rendered pretty well, but did not have all the features of Yahoo! when viewed in a browser. Eventually, as Yahoo! becomes aware of the capabilities of the Wii or the iPhone, they will change their site to react differently, based on the User-Agent.
Reacting to User-Agent is rare
Most web applications don’t react to browsers at all. You only need to consider this testing technique if you know for a fact that your application behaves this way. Note that many sites and applications that use complex cascading style sheets (CSS) or asynchronous JavaScript and XML (AJAX) will have a lot of complex JavaScript code that loads differently in the browser depending on which browser it is. This is not the same as the User-Agent string and having the server perform different operations based on what browser requests the page. Many sites send JavaScript that will be executed differently depending on the browser. Few look at the User-Agent string at run time.
Realize that, if you’re one of the lucky few who has software that responds differently to different User-Agents, this will increase your test matrix significantly. Tests for vulnerabilities like cross-site scripting (XSS), SQL injection, or session fixation will have to be done with representatives of various different kinds of browsers to be sure that all the code is tested.
