Jump to content
Kaspersky Support Forum

Injected script into site corrupts important requests headers (e.g.: Content-Type)

Zsolt Kovacs

By Zsolt Kovacs
in Kaspersky: Basic, Standard, Plus, Premium

 Share
Go to solution Solved by Igor Kurzin,

Recommended Posts

Zsolt Kovacs

Zsolt Kovacs

Posted
Posted

Hi Support, I am an engineer at a global hiring platform and currently investigating some sporadic issues noticed by our customers during registration. Unfortunately this issue prevented our customers to complete their registration as our backend received malformed requests, although the frontend sends these requests correctly. After a consultation with our consumers and analysing their network traffic we noticed that each of them have Kaspersky installed and also a script injected into our website that wraps around the fetch API that the page uses.

The script intercepts the fetch API calls and modifies the headers to be sent. E.g.: the Content-Type header which was set as application/json is updated to: 

"headers": [
  {
    "name": "0",
    "value": "Content-Type,application/json"
  },
...
]

By inspecting the injected code it seems the copyHeaderValues function cause this modification, which function receives the list of headers correctly, but after the processing the headers are set incorrectly to initObject.headers field. The header format inconsistency is even more apparent if you compare the already added 2 headers (Content-Type and X-KL-kis-Ajax-Request).

args_2_marked.thumb.png.f9a1322610599c7ed3dcb54ac45bee88.png

Due to the incorrectly set (rather missing) Content-Type header our backend service throws an error. Of course this issue can be patched on backend side as well, however I assume the customers having this code injected in to their browser are having various issues on many websites due to these malformed headers, so rather the root-cause should be fixed.

Our customers had the following script injected, I hope it helps: https://gc.kis.v2.scr.kaspersky-labs.com/FD126C42-EBFA-4E12-B309-BB3FDD723AC1/main.js?attr=07TcaJU8svcR2J7_g9N97xRyrhEZkQVFT7o65Z0RUnVBHZsvPjl9S-HLiEyv31cuIxuc7Gc0HINL6r8NzYE2mCMcKg0aBVbx3kL0YN4jTvd4iIpmCP2fuwBbaRoSV3VacQcI6h4cQJy56sTJ3UJfdYI6gdsCr66mBsvk048FHApSFHBlLL0eeIdQNhNyEMkz5e_41f_XMuVfAueYeIio20Q_VybtZ5mSRJQljOAJCyg

Based on my observation all of our cases happened on Windows 11 and apparently all 3 main browsers were affected (Edge, Chrome, FF). Our users confirmed that after disabling the Inject script into web traffic to interact with web page under the Security/Network settings they were able to complete their registration.

On my end I was also able to reproduce issue on Windows 11 using 21.19.7.527(b) Kaspersky while browsing on Chrome browser (132.0.6834.111).

Could you please look into the issue?

 

 

Flood and Flood's wife

Flood and Flood's wife

Posted
Posted
11 hours ago, Zsolt Kovacs said:

Hi Support, I am an engineer at a global hiring platform and currently investigating some sporadic issues noticed by our customers during registration. Unfortunately this issue prevented our customers to complete their registration as our backend received malformed requests, although the frontend sends these requests correctly. After a consultation with our consumers and analysing their network traffic we noticed that each of them have Kaspersky installed and also a script injected into our website that wraps around the fetch API that the page uses.

The script intercepts the fetch API calls and modifies the headers to be sent. E.g.: the Content-Type header which was set as application/json is updated to: 

"headers": [
  {
    "name": "0",
    "value": "Content-Type,application/json"
  },
...
]

By inspecting the injected code it seems the copyHeaderValues function cause this modification, which function receives the list of headers correctly, but after the processing the headers are set incorrectly to initObject.headers field. The header format inconsistency is even more apparent if you compare the already added 2 headers (Content-Type and X-KL-kis-Ajax-Request).

args_2_marked.thumb.png.f9a1322610599c7ed3dcb54ac45bee88.png

Due to the incorrectly set (rather missing) Content-Type header our backend service throws an error. Of course this issue can be patched on backend side as well, however I assume the customers having this code injected in to their browser are having various issues on many websites due to these malformed headers, so rather the root-cause should be fixed.

Our customers had the following script injected, I hope it helps: https://gc.kis.v2.scr.kaspersky-labs.com/FD126C42-EBFA-4E12-B309-BB3FDD723AC1/main.js?attr=07TcaJU8svcR2J7_g9N97xRyrhEZkQVFT7o65Z0RUnVBHZsvPjl9S-HLiEyv31cuIxuc7Gc0HINL6r8NzYE2mCMcKg0aBVbx3kL0YN4jTvd4iIpmCP2fuwBbaRoSV3VacQcI6h4cQJy56sTJ3UJfdYI6gdsCr66mBsvk048FHApSFHBlLL0eeIdQNhNyEMkz5e_41f_XMuVfAueYeIio20Q_VybtZ5mSRJQljOAJCyg

Based on my observation all of our cases happened on Windows 11 and apparently all 3 main browsers were affected (Edge, Chrome, FF). Our users confirmed that after disabling the Inject script into web traffic to interact with web pages under the Security/Network settings they were able to complete their registration.

I was also able to reproduce issue on Windows 11, Kaspersky 21.19.7.527(b) while browsing on Chrome browser (132.0.6834.111).

Hello @Zsolt Kovacs

Welcome!

  1. Inject script into web traffic to interact with web pages is often recommended/suggested as *test* to determine/troubleshoot/analyse issues; it's rarely a solution, definitely not a preferred solution as it impacts the operation of such components as Safe Money, Private Browsing, Anti-Banner, and URL Advisor.
  2. As an *exclusion* -> the affected domain can be added to Security settings, Network settings, Configure trusted addresses, that may assist the users to re-enable Inject script into web traffic to interact with web pages - so important functionality is still available to them in their Kaspersky software. Please share if that assists
  3. *Also*, IF (you) have licensed Kaspersky software, please log a request with Kaspersky Customer Service, https://support.kaspersky.com/b2c#contacts -> select either Email or Chat, then fill in the template as shown;  please select (your) Kaspersky application from the drop-down list available (A); include a *detailed history*; Support may request: GSI, Console & Har logs -> (captured while the problem is replicated) & other data; they will guide you.
  4. *Also* -> IF using Chat - *before* ending the chat -> ask the operator to email (you) a copy of the chat transcript - otherwise (you'll) have no record of the chat*                  
  5. Please post back the Incident reference number, when it's available? 
  6. Kaspersky are aware of (your) topic. 

image.thumb.png.f34a2b6493039c0da465207a4d1be5d6.png

Thank you?
Flood?+?

Zsolt Kovacs

Zsolt Kovacs

Posted
  • Author
Posted

Hi @Igor Kurzin, thanks for the suggestion, indeed updating to version 21.20.8.505 has resolved the issue.

  • Thanks 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...