Welcome! Log In Create A New Profile

Advanced

cookie bomb - how to protect?

mex
January 19, 2014 11:06AM
very interesting read: http://homakov.blogspot.de/2014/01/cookie-bomb-or-lets-break-internet.html

from thze blogpost:
"TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those cookies and servers will reject the requests, because Cookie header will be very long. The entire Internet will look down to you.
I have no idea if it's a known trick, but I believe it should be fixed. Severity: depends. I checked only with Chrome.

We all know a cookie can only contain 4k of data.
How many cookies can I creates? **Many!**
What cookies is browser going to send with every request? **All of them!**
How do servers usually react if the request is too long? **They don't respond**
"

i checked it, and it works, i get the following error back:

400 Bad Request

Request Header Or Cookie Too Large

my question: is there a generic way to check the size of such headers like cookies etc
and to cut them off, or should we live with such malicious intent?




regards,


mex
Subject Author Posted

cookie bomb - how to protect?

mex January 19, 2014 11:06AM

Re: cookie bomb - how to protect?

coderman January 19, 2014 11:36AM

Re: cookie bomb - how to protect?

coderman January 19, 2014 11:40AM

Re: cookie bomb - how to protect?

mex January 19, 2014 04:42PM

Re: cookie bomb - how to protect?

coderman January 19, 2014 07:48PM

Re: cookie bomb - how to protect?

Valentin V. Bartenev January 19, 2014 11:48AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 81
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready