Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  user-agent dalvik and curl

    Posted 02-10-2023 11:55
    Edited by Jose Yero 02-10-2023 11:55

    Hi guys.

    I'm looking at recent logs, I have seen Dalvik/2.1.0 and curl within the user-agent requirement. I give you examples:


    Dalvik/2.1.0 (Linux; U; Android 11; moto g(60)s Build/RRLS31.Q2X-70-39-5)
    app_process64 (unknown version) curl/7.81.0

    Based on your experience, is it suggested to block this traffic?


    #On-PremisesWAF(formerlySecuresphere)




  • 2.  RE: user-agent dalvik and curl

    Posted 02-14-2023 13:06

    Hi Jose,

    While I cannot provide a direct recommendation, I can provide some guidance.

    Tools like Dalvik and Curl exist in a grey area; they can be used for good - or they can be used for bad - the difference is in the wielder and the intent. 

    Attackers like to leverage these tools because it makes their "job" easier.

    Likewise, Quality Assurance (QA) testers also like to leverage these tools to make their job easier.

    Now, keeping this in mind, it is unlikely that QA teams will need to use these tools against production sites - whereas it may be common to use these tools against Dev/Test/UAT sites.

    I recommend opening a line of communication with your dev team(s) and or business line(s) to determine if they have a legitimate business need to use these tools against a production site, and you can plan your course of action from there. 



    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------



  • 3.  RE: user-agent dalvik and curl

    Posted 02-23-2023 19:29

    Thank you very much for answer.



    ------------------------------

    ------------------------------