On Wed, Sep 14, 2022 at 11:38 AM Larry Garfield <la...@garfieldtech.com> wrote:
> > I think the key question here is if there is a reasonable action the > developer could take if an over-sized request came in. PHP itself can dump > that to the log, but is there anything reasonable beyond that the developer > could do, if they could detect it? > > And is anyone doing that now? > > --Larry Garfield > > Honestly, another question I'm thinking about at the moment is whether it's possible to construct an attack against known script behavior if you also are able to determine the ini config at which partial form data would make it to the script with the script thinking it has full form data. To be clear, I haven't been able to think of one, but I also recognize that I'm not nearly as clever at those sorts of things as some attackers are. I suppose that would depend on both the form and the script though. Jordan
