So this might be a long, long shot, yet I am completely stumped on what might be causing this issue:
I am delivering a client side JavaScript, that parses certain parameters on the page where it is embedded, uses these parameters to construct a URL and inject an iframe using that URL into the page like:
var queryParams = {
param: 'foo'
, other: 'bar'
};
is turned into:
<iframe src="http://example.net/iframes/123?param=foo&other=bar"></iframe>
This is working quite fine, I am delivering around 1.5 million requests per day. Yet I recently noticed that in around 3.000 cases per day the values of the query parameters are shuffled, so sth like this gets requested:
<iframe src="http://example.net/iframes/123?param=ofo&other=rba"></iframe>
Judging from the logs this is tied to specific users, and the jumbling of characters will happen anew on each request, so I can see sequences like this when a user is browsing the site with multiple pages using the script:
108.161.183.122 - - [14/Sep/2015:15:18:51 +0000] "GET /iframe/ogequl093iwsfr8n?param=3a1bc2 HTTP/1.0" 401 11601 "http://www.example.net/gallery?page=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
108.161.183.122 - - [14/Sep/2015:15:19:07 +0000] "GET /iframe/ogequl093iwsfr8n?param=a21b3c HTTP/1.0" 401 11601 "http://www.example.net/gallery?page=2" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
108.161.183.122 - - [14/Sep/2015:15:19:29 +0000] "GET /iframe/ogequl093iwsfr8n?param=ba132c HTTP/1.0" 401 11601 "http://www.example.net/gallery?page=3" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
The 401 is happening on purpose as the server expects param=abc123.
I also noticed that the majority of errors is happening in Firefox and Safari, not a single erroneous URL has been requested by Google Chrome.
The library I am using for turning the object into a query string is: query-string - but looking at the source code I cannot see any potential for a bug of that kind in there, there's nothing that is done to the values which is not done to the keys (which are not messed up).
Has anyone ever encountered anything similar? Is this some weird browser extension? Is this a collision of my script with another library extending prototypes? Is this malware? Is this something I am completely unaware of? I'd be thankful for any hint because I am really clueless and this is really driving me crazy.
EDIT: I just discovered that another of our public facing services is currently being probed by sth called "Burp Suite". Having a look at their website I see they have a tool called "Payload fuzzing" which seems to do pretty much what is described here: https://portswigger.net/burp/help/intruder_gettingstarted.html or here: https://portswigger.net/burp/help/intruder_using.html#uses_enumerating - The whole tool smells semi-fishy to me, so I this might be something worth investigating further. Has anyone else ever heard of this toolset?
As I already mentioned here Google Analytics Event Permutation there is a specific version (at least 1.0.37) of the Firefox add-on "Cliqz" having an anti-tracking-functionality built in.