Following up my own post as this seems relevant:
https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/
file:// URIs may be partially what is triggering this behaviour.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello everyone. I am hoping someone out there might have insight into a Windows WebDAV bug / configuration issue I have been trying to isolate the cause of for something like a decade. In the discussion below IPs and URLs have been changed to local non-routables for privacy. The actual requests were between a customer in their office using Windows 10 and a remote Apache webserver hosting a client's shopping cart.
The ModSecurity firewall has a default rule to block spurious WebDAV attempts against web servers that do not allow this protocol. It's an effective method for catching and blocking malicious bots trying to poll for vulnerabilities. Unfortunately, for unknown reasons some Windows machines will send spurious WebDAV requests like this Windows 10 machine attempting WebDAV against our webserver:
192.168.1.1 - - [21/Mar/2022:08:26:07 -0700] "OPTIONS /shop_closed.html HTTP/1.1" 403 3455 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
The machine this request originated from was a customers Windows 10 install and aside from the spurious WebDAV attempts, they were just browsing my client's shopping cart:
192.168.1.1 - - [21/Mar/2022:08:19:00 -0700] "GET /cart.php HTTP/1.1" 200 161 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36"
When Windows installs start sending these WebDAV requests, they usually will pick a specific file and keep requesting that one file until eventually they get automatically blocked by our firewall. In this case the customer was using Chrome but the problem is not specific to the browser the customer is using (I have seen it occur with customers using IE and Edge as well).
There is zero reason for the customer's machine to be sending WebDAV requests to our server. We are not on their local network and they do not manage any files on our server. Note that the customer is not intentionally triggering these requests, they just occur seemingly randomly. They also do not occur for all Windows users, just a subset. The user agent in the requests is always whatever version of "Microsoft-WebDAV-MiniRedir" the client has installed.
Does anyone have any idea what triggers these spurious WebDAV requests? This has been a bugbear for years now and I would dearly love to nail down the cause.
Cheers
Following up my own post as this seems relevant:
https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/
file:// URIs may be partially what is triggering this behaviour.