How to control request headers

[irigsoft]

Hello,

For security reasons, I want to control some of the application headers, such as:

I accept - in my own application The header of the Accept request is always * / * and I want to set at the start of the APP

Content-Length and others

I'm trying to set these headers in my TUniServerModule.UniGUIServerModuleHTTPCommand, but when I check it with the Google console, I don't see any changes to the request headers

I'm trying to set it up in my CustomHeaders, but then the changes are only in the response headers.

So how do I control the request headers in my standalone application, or how to check if it has changed?

[irigsoft]

Hello,

I created control over the length of POST content (why is important: https://portswigger.net/web-security/request-smuggling

https://portswigger.net/web-security/request-smuggling/advanced/request-tunnelling)

On POST command message body can be sended by 2 ways:

1. like text (must control Content-Length)

2. like Stream (must control PostStream)

 

TUniServerModule.UniGUIServerModuleHTTPCommand

var MyRequestContentLength : Integer64;// in bytes

MyRequestContentLength := 2000;//I want to limit request size to 2000;

  //header indicates the size of the message body, in bytes, request from sent from the recipient.
  //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Length 
  if MyRequestContentLength > 0 then begin
      //check if request header have ContentLength
      If ARequestInfo.HasContentLength then begin
          //close session if POST command ContentLength is bigger from MyRequestContentLength
          //this will fault on HTTP 1.1.
          //HTTP 1.1 servers are required to allow clients to post data using the "chunked" transfer encoding.
          //In which case, there will be no Content-Length header present (or it will be 0),
          // and thus the data length will not be known until the final chunk has been received.
          //Fortunately, you can look at the Transfer-Encoding header
//1. 

        if ARequestInfo.ContentLength > MyRequestContentLength then begin
            AResponseInfo.ContentText := '<h1>Access denied: BIGER ContentLength</h1>';
            Handled := True;
            AResponseInfo.CloseConnection:=true;
            AResponseInfo.CloseSession;
            exit;
          end;
      end;
 

//2.

      //close session if POST request PostStream.Size is bigger from MyRequestContentLength
      if ARequestInfo.PostStream <> nil then begin
         if ARequestInfo.PostStream.Size > MyRequestContentLength then begin
            AResponseInfo.ContentText := '<h1>Access denied: BIGGER POST Stream Size</h1>';
            Handled := True;
            AResponseInfo.CloseConnection:=true;
            AResponseInfo.CloseSession;
            exit;
        end;//if ARequestInfo.PostStream.Size > MyRequestContentLength

    end; //if ARequestInfo.PostStream <> nil

  end;

 

I add and Chunked Encoding control:

If (AnsiUpperCase (ARequestInfo.TransferEncoding) = AnsiUpperCase ('chunked'))

OR (POS (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.CustomHeaders.Text)) > 0)
OR (POS (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.RawHeaders.Text)) > 0)
then begin
            AResponseInfo.ContentText := '<h1>Access denied: Disabled Chunked Encoding</h1>';
            Handled := True;
            AResponseInfo.CloseConnection:=true;
            AResponseInfo.CloseSession;
            exit;
  end;

This way I have some control to limit the body of the POST request message.

If anyone can test it and help make better code I would be happy to test.