irigsoft Posted May 24, 2022 Share Posted May 24, 2022 Hello, For security reasons, I want to control some of the application headers, such as: I accept - in my own application The header of the Accept request is always * / * and I want to set at the start of the APP Content-Length and others I'm trying to set these headers in my TUniServerModule.UniGUIServerModuleHTTPCommand, but when I check it with the Google console, I don't see any changes to the request headers I'm trying to set it up in my CustomHeaders, but then the changes are only in the response headers. So how do I control the request headers in my standalone application, or how to check if it has changed? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 27, 2022 Author Share Posted May 27, 2022 Hello, I created control over the length of POST content (why is important: https://portswigger.net/web-security/request-smuggling https://portswigger.net/web-security/request-smuggling/advanced/request-tunnelling) On POST command message body can be sended by 2 ways: 1. like text (must control Content-Length) 2. like Stream (must control PostStream) TUniServerModule.UniGUIServerModuleHTTPCommand var MyRequestContentLength : Integer64;// in bytes MyRequestContentLength := 2000;//I want to limit request size to 2000; //header indicates the size of the message body, in bytes, request from sent from the recipient. // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Length if MyRequestContentLength > 0 then begin //check if request header have ContentLength If ARequestInfo.HasContentLength then begin //close session if POST command ContentLength is bigger from MyRequestContentLength //this will fault on HTTP 1.1. //HTTP 1.1 servers are required to allow clients to post data using the "chunked" transfer encoding. //In which case, there will be no Content-Length header present (or it will be 0), // and thus the data length will not be known until the final chunk has been received. //Fortunately, you can look at the Transfer-Encoding header //1. if ARequestInfo.ContentLength > MyRequestContentLength then begin AResponseInfo.ContentText := '<h1>Access denied: BIGER ContentLength</h1>'; Handled := True; AResponseInfo.CloseConnection:=true; AResponseInfo.CloseSession; exit; end; end; //2. //close session if POST request PostStream.Size is bigger from MyRequestContentLength if ARequestInfo.PostStream <> nil then begin if ARequestInfo.PostStream.Size > MyRequestContentLength then begin AResponseInfo.ContentText := '<h1>Access denied: BIGGER POST Stream Size</h1>'; Handled := True; AResponseInfo.CloseConnection:=true; AResponseInfo.CloseSession; exit; end;//if ARequestInfo.PostStream.Size > MyRequestContentLength end; //if ARequestInfo.PostStream <> nil end; I add and Chunked Encoding control: If (AnsiUpperCase (ARequestInfo.TransferEncoding) = AnsiUpperCase ('chunked')) OR (POS (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.CustomHeaders.Text)) > 0) OR (POS (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.RawHeaders.Text)) > 0) then begin AResponseInfo.ContentText := '<h1>Access denied: Disabled Chunked Encoding</h1>'; Handled := True; AResponseInfo.CloseConnection:=true; AResponseInfo.CloseSession; exit; end; This way I have some control to limit the body of the POST request message. If anyone can test it and help make better code I would be happy to test. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.