Hello and welcome to the Monday, September 22nd, 2025 edition of the Sands Internet Storm Sunners, Stormcast.

My name is Johannes Ulrich, recording today from Las Vegas, Nevada.

And this episode is brought you by the Sands.edu bachelor's degree program in Applied Cybersecurity.

This weekend I tried a little bit something different with my diary, something that we have done in the past, and I think I haven't really done as much recently as we should.

And that's well, really just post an observation

where I have no idea what it's about. And hopefully someone here in the audience or someone who

read it in a storm center will be able to fill in some of the gaps here. The problem is

an sort of interesting request that our honeypots

have been seen lately.

And of course, honeypots typically are

being hit by sort of malicious

requests. And that's why I suspect that this is some kind

of maybe recon scan or whatever.

The HTTP header that sort of made this request stick out is the X-forwarded app header.

When you're dealing with proxies, they're usually like the X-forwarded host, X-forward IP address,

and the headers like that being used to indicate if a request went through a proxy and, well, what the original

client IP address was. This looks like something similar, and quite often headers like this

with proxies are being used to potentially bypass authentication, bypass access control, because, well, then the recipient

believes that this is actually an already authenticated request that was authenticated by

some proxy. That's my guess at this point. Now, the string, the value being provided with

this app header is somewhat random.

It's always app dot.

...