very interesting read:
from thze blogpost:
"TL;DR I can craft a page “polluting” CDNs, blogging platforms and other
major networks with my cookies. Your browser will keep sending those
and servers will reject the requests, because Cookie header will be very
long. The entire Internet will look down to you.
I have no idea if it’s a known trick, but I believe it should be fixed.
Severity: depends. I checked only with Chrome.
We all know a cookie can only contain 4k of data.
How many cookies can I creates? Many!
What cookies is browser going to send with every request? All of
How do servers usually react if the request is too long? They don’t
i checked it, and it works, i get the following error back:
400 Bad Request
Request Header Or Cookie Too Large
my question: is there a generic way to check the size of such headers
and to cut them off, or should we live with such malicious intent?
Posted at Nginx Forum: