Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] OOM by huge header size attack: setResponseHeaderSize won't work
#!/bin/bash

# Create a big header value
echo -n "X-Huge: " > big-header.tmp
openssl rand -base64 80000 | tr -d '\n' >> big-header.tmp

# Issue the request
curl -v -H "$(cat big-header.tmp)" http://localhost:8080/test/

With the testing of it ...

$ ./curl-bigrequest.sh
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /test/ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.53.1
> Accept: */*
> X-Huge: Ccq6uj0NVMiRRa...(snip huge header)...0TQnj+05cXtdNgjgIHGs=
>
< HTTP/1.1 431 Request Header Fields Too Large
< Content-Type: text/html;charset=iso-8859-1
< Content-Length: 74
< Connection: close
< Server: Jetty(9.4.3.v20170317)
<
* Closing connection 0
<h1>Bad Message 431</h1><pre>reason: Request Header Fields Too Large</pre>

Seems like its working fine on Jetty 9.4.3 at least.

Lets see about latest Jetty 9.2 ...

$ ./curl-bigrequest.sh
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /test/ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.53.1
> Accept: */*
> X-Huge: 1Kp7vXpbrf...(snip huge header)...I6QHbIqk=
>
< HTTP/1.1 413 Request Entity Too Large
< Content-Length: 0
< Connection: close
< Server: Jetty(9.2.21.v20170120)
<
* Closing connection 0


The server side logs on Jetty 9.2.21 shows ...

2017-03-23 11:33:08.031:WARN:oejh.HttpParser:qtp463345942-36: Header is too large >8192
2017-03-23 11:33:08.031:WARN:oejh.HttpParser:qtp463345942-36: badMessage: 413 for HttpChannelOverHttp@7817c547{r=0,c=false,a=IDLE,uri=/test/}
2017-03-23 11:33:08.032:WARN:oejh.HttpParser:qtp463345942-36: badMessage: java.lang.IllegalStateException: too much data after closed for HttpChannelOverHttp@7817c547{r=0,c=true,a=COMPLETED,uri=/test/}

Seems to be responding appropriately.


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Mar 23, 2017 at 10:39 AM, Jesse McConnell <jesse.mcconnell@xxxxxxxxx> wrote:
I'll also point out that 9.2.1 is from 2014-06-09 and 20 bugfix releases behind on just the 9.2.x development branch.

We released 9.4.3 earlier this week. :)

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx

On Thu, Mar 23, 2017 at 12:35 PM, Conan <yk.cadcg@xxxxxxxxx> wrote:
jetty version is 9.2.1 and java version is 1.8, thanks so much!

Thanks,
Conan


On Thu, Mar 23, 2017 at 10:22 AM, Jesse McConnell <jesse.mcconnell@xxxxxxxxx> wrote:
what version of java and jetty?

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx

On Thu, Mar 23, 2017 at 12:20 PM, Conan <yk.cadcg@xxxxxxxxx> wrote:


Folks,

  We use NiFi which embeds Jetty Server. Our test team found a security bug by intercepting the http request and replacing the header with a huge (say 1GB) text, which sent the response to NCM, which got OOM:

2017-03-07 03:44:03,522 WARN [NiFi Web Server-22] o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=129.188.35.109, apiPort=38484, socketAddress=129.188.35.109, socketPort=39494, siteToSiteAddress=129.188.35.109, siteToSitePort=null] encountered exception: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space


 We tried setResponseHeaderSize here http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setResponseHeaderSize-int- but it didn't seem to work: it seems to us that the huge fake header got received before this limit takes effect, as a result, the NCM got OOM in the first place.

Are we missing anything, or is there a potential bug with setResponseHeaderSize, please?


Thanks,
Conan&Sherry


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top