@silverpill @liaizon check this 
https://blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
-
-
@Profpatsch @silverpill I like this presentation
-
@silverpill @liaizon What does this mean? “Follow redirects, but set a limit. Request must be re-signed after every redirect.”
do you mean I have to check the new http signature on every 30x response? I don’t believe that can work??
-
@silverpill @liaizon Another issue I noticed: “set a max request/response size” means that we are essentially forced to implement paging of outboxes both on client and server
-
@silverpill @liaizon we should also definitely provide some actual values here, otherwise it’s pretty useless tbh …
-
@Profpatsch You need to create a new signature because the request target is changing. It is a part of a signature base, so the initial signature becomes invalid when the client follows a redirect.
-
@Profpatsch @liaizon The guide recommends limiting the response size, to prevent DoS.
I also found this in your
SECURITY.md: -
@silverpill @liaizon yeah, but in essence anything that produces or consumes an outbox needs to implement paging because of that.
-
@silverpill @liaizon Which, fine, all resources from other places need to be restricted to prevent DoS attacks anyway.
Ciao! Sembra che tu sia interessato a questa conversazione, ma non hai ancora un account.
Stanco di dover scorrere gli stessi post a ogni visita? Quando registri un account, tornerai sempre esattamente dove eri rimasto e potrai scegliere di essere avvisato delle nuove risposte (tramite email o notifica push). Potrai anche salvare segnalibri e votare i post per mostrare il tuo apprezzamento agli altri membri della comunità.
Con il tuo contributo, questo post potrebbe essere ancora migliore 💗
Registrati Accedi
Citiverse è un progetto che si basa su NodeBB ed è federato! | Categorie federate | Chat | 📱 Installa web app o APK | 🧡 Donazioni | Privacy Policy