JA4H: Would detect whenever the header sent is in uppercase or not add value to the fingerprinting?

[unixfox]

Very nice job in engineering the JA4H method.

While reading the paper, I was surprised to see that you do not take into account whenever the HTTP client sent each header with an uppercase for "each" word or not.

Accept-Encoding VS accept-encoding

I know by default it's rare that this second header in lowercase is sent by the major HTTP client libraries and browsers. But there are some examples where an HTTP header could be sent in lowercase instead of the uppercase:

• some HTTP proxies can make all the headers lowercase for "faster" processing. (I know NGINX is not an HTTP proxy as per se, but it sends the headers in lowercase to the backend)
• a developer can write the header in lowercase without thinking about it. Example in python, a developer that override the "accept" header for requesting an HTML page:

  import requests
  requests.get('http://localhost:8000', headers={'accept': 'text/html'})

  or even worse (mistakes can happen):

  import requests
  requests.get('http://localhost:8000', headers={'accept-Language': 'en,fr-FR;q=0.9,fr;q=0.8,en-US;q=0.7'})

• there may exist some HTTP client libraries that send all of their headers in lowercase

Same for the value of each HTTP header, while testing the python program I got the same hash for all of these 3 different code:

import requests
r = requests.get('http://localhost:8000', headers={'accept': 'text/html'})

import requests
r = requests.get('http://localhost:8000', headers={'Accept': 'text/html'})

import requests
r = requests.get('http://localhost:8000', headers={'Accept': 'text/htmL'})

Would it be interesting to add to your method? Or is it even feasible?

[john-althouse]

Thanks for the question unixfox!

Please see the technical details behind JA4H here: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4H.md There you will see that "JA4H captures all HTTP header fields, case-sensitive" so the JA4H_b, the hash of the HTTP headers observed, is case-sensitive. JA4H does not normalize the HTTP content to any case. If you see that happening, it's a bug, please let us know so we can fix it!

That said, JA4H does not clearly call out if the headers are all lower-case or not, it just provides a hash. To see clearly if the headers are camel case, you would want to look at the JA4H_r (the raw fingerprint, unhashed). Does that answer your question?

[unixfox]

Thank you for your reply!

Indeed, I think that is an issue with the python implementation: https://github.com/FoxIO-LLC/ja4/issues/18

Sorry for not spotting earlier that the rust version worked fine.