On Monday 28 November 2011, Nick Kew wrote:
On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:
Hi,
while browsing a bit through Michael Zalewski's new Tangled Web
book, I was reminded again that we are very forgiving about what
we accept as a request. Is this really a good idea in the
On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:
* With 'ProxyRequests off', we accept absolute urls like http://hostname/path
for local requests, but we don't check that the hostname contained in it
actually matches the Host header if there is one. The hostname from the URI
is then used
Hi,
while browsing a bit through Michael Zalewski's new Tangled Web book,
I was reminded again that we are very forgiving about what we accept
as a request. Is this really a good idea in the time of lots of web
security issues?
Examples include:
* in the request line, the protocol may be
On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:
Hi,
while browsing a bit through Michael Zalewski's new Tangled Web book,
I was reminded again that we are very forgiving about what we accept
as a request. Is this really a good idea in the time of lots of web
security issues?
Sounds