Erroneous and mysterious character substitutions in HTTP requests

Question

I'm seeing weird requests from a user that seems to be legit otherwise. Basically, it seems like some characters in the request their browser makes are replaced, seemingly at random. From my apache2-logs:

wdomain.com:80 A.B.C.D - - [01/Jul/2015:14:21:05 +0200] "POST /index.php?id=699&dID=foo HTTP/1.1" 301 608 1822125 "http://www.vdomain.se/my-profile/private-messages/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTLL, like Gecko) Chrome/43.0.2357.124 Safari/537.36"

or instance, here dID should be eID. vdomain in the referrer should be wdomain. And KHTLL in the user-agent should beKHTML`` of course!

wdomain.com:80 A.B.C.D - - [01/Jul/2015:14:21:11 +0200] "GET /my-profile/private-messages/?dID=foo HTTP/1.1" 404 24471 541869 "http://wdomain.com/my-psofile/private-messages/" "Mozilla/5.0 (Macintosh; Intel Mac NS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2357.124 Safari/537.36"

here my-profile in the referrer has been switched to my-psofile.

What could cause these seemingly random substitutions? It seems like a rouge extension could be ruled out, since some substitutions should not come from changes in the DOM, such as the change in referrer and user-agent. Since the user seems benign otherwise, and since the changes are so random, it seems unlikely to be any malicious intent.

Answer 1

Its probably something intercepting and mishandling the traffic between the client and you. You may want to use Tcpdump or similar to see the actual packets being received on the wire to make sure the problem isn't an Apache module rewriting the request in a weird way.

If you can intercept the clients packets as they leave their machine that might also tell you if the problem is being generated on their side (maybe a browser plugin), or a man in the middle - like a proxy.