from thze blogpost:
"TL;DR I can craft a page “polluting” CDNs, blogging platforms and other
major networks with my cookies. Your browser will keep sending those
cookies
and servers will reject the requests, because Cookie header will be very
long. The entire Internet will look down to you.
I have no idea if it’s a known trick, but I believe it should be fixed.
Severity: depends. I checked only with Chrome.
We all know a cookie can only contain 4k of data.
How many cookies can I creates? Many!
What cookies is browser going to send with every request? All of
them!
How do servers usually react if the request is too long? They don’t
respond
"
i checked it, and it works, i get the following error back:
400 Bad Request
Request Header Or Cookie Too Large
my question: is there a generic way to check the size of such headers
like
cookies etc
and to cut them off, or should we live with such malicious intent?
…
my question: is there a generic way to check the size of such headers like
cookies etc and to cut them off, or should we live with such malicious intent?
no good one size fits all solution that i have found. trade off here
and you worsen over there…
i have worked on an internal system (not public endpoint, internal to
DMZ only) where the request URL, or any one of the individual request
header values could approach 32KBytes in size, with a full client or
server header reaching 64+KB.
we use a custom Nginx build to handle this on the internal proxy tier
only, not public. the public endpoints respond with a custom empty
json response body for all such 4xx/5xx errors instead of default 400
like above.
i’d love to know of more elegant ways to handle this, with header
specific handling - especially cookies, if possible…
best regards,
P.S. off-topic, but i have used this “feature” before to check for
content middling proxies between me and endpoints. such headers often
resulting in proxy errors or timeouts even when implemented in
transparent trying to be inconspicuous mode.
i checked it, and it works, i get the following error back:
400 Bad Request
Request Header Or Cookie Too Large
my question: is there a generic way to check the size of such headers like
cookies etc
and to cut them off, or should we live with such malicious intent?
[…]
You can include into this “Request Header Or Cookie Too Large” error
page
a JS script that will clear cookies.
excellent! i agree this would be quite useful in general and
appropriate for this specific situation. i’m fond of Lua for
mysql-proxy, nmap, and other situations which share similar technical
demands for extending built in behavior.
i would love to know more as you make progress.
best regards,
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
