Closed vysecurity closed 1 year ago
Hi Vincent, that Server header was encoded like that on purpose, exactly so that people can't just grep for it to change it 😉. Motivation being that people should actually go through the code at least a bit and make appropriate modifications before deploying.
Closing this as a won't-fix issue. Feel free to open a new issue or PR if you have any other suggestions!
Got it!
Issue Description
The code was not easily identifiable, making it more difficult to maintain or identify areas for modification.
E.g. https://github.com/chvancooten/NimPlant/blob/ff66479f26995da58998ede5edfdc5e7337fc5ef/server/util/listener.py#L27
For some reason the Server header is encoded in hex. If it was in just plain text we could grep for the string and change it.
Improvement
Put the cleartext server header in the code instead of the hex representation because it's running on the server anyways.
Also, what was the reason to use base16 on it? It's unlikely anyone would run this on the target system with Python installed, so obfuscation isn't really necessary.