Search code examples
androidweb-serviceshttpsoapwap

Multiple values seen in http request header when connecting over GPRS / WAP

When I make a request to web service over wifi everything is working well but the same when made on GPRS having WAP connection (I did not in anyway force the connection to be WAP, this might be carrier dependent. Testing done in Argentina) the server is receiving duplicate values in both Content-Type & Content-Length.

Below is the same request logged on server first over WiFi and second over GPRS.

Over WiFi:

POST /ODP/Services.asmx HTTP/1.1 
User-Agent: kSOAP/2.0 
SOAPAction: http://temphost.org/RetrieveConfiguration 
Content-Type: text/xml 
Connection: close 
Content-Length: 464 
Host: temp.host.com 
Accept-Encoding: gzip

Over GPRS:

POST /ODP/Services.asmx HTTP/1.1 
Accept-Encoding: deflate, gzip, identity 
Content-Length: 464, 464 
Content-Type: text/xml, text/xml 
Host: temp.host.com 
SOAPAction: http://temphost.org/RetrieveConfiguration 
User-Agent: kSOAP/2.0 
X-WAP-WTLSEncryptiontype: NONE 
X-WAP-Bearerinfo: W-HTTPS=FALSE, bearertype=0 
Via: W-HTTP/1.1 wgw-fe6 EMIG 5.1 
x-msisdn: <User Phone number> 
x-up-calling-line-id: <User Phone number> 
x-technology-stack: Unknown 
TE: trailers 
Connection: TE

I am not able to understand how and where the multiple values are being added in the request for the Content-Type & Content-Length headers.

Can somebody enlighten me what is wrong with the WAP connection or is it being added at the carrier end while modifying the request to WAP.

Solution

  • Sadly there's nothing to do on the client side (customer/phone/browser), but there are some possible scenarios to get an approach to a solution. If you're web developer (VASP side), you need to take care about the URL/URI size in order to prevent that POST needs more than one packet. If you're the web server manager (VASP/Telco side), you can define that multiple values are going to be accepted for these specific headers (when equal).in this scenario you need to be aware that you gonna put your server under risk of HTTP response splitting attack. If you're the proxy admin (Telco side), you can tune your GW to discard the extra header instead of merging them into one header containing multiple values but, in this scenario you need to be aware that you gonna be out of RFC recomendations.