Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Activity Processors: Header Processor: Incident - Request Header Overflow

    Complexity: Suspicious (1.0)

    Default Response: 3x = Compound Request Header Overflow Incident.

    Cause: WebApp Secure monitors all of the request headers sent from the client to the server. It has a configured limit that defines how long any individual header is allowed to be. After 3 or more headers are submitted that exceed the limit, this incident will be triggered.

    Behavior: While not as common as form inputs or query parameter inputs, some web applications actually use the values submitted in headers within their code base. If these values are treated incorrectly, such as not being validated before being used in an SQL statement, they potentially expose the same set of vulnerabilities a form input might. As such a hacker who is attempting to execute a "Buffer Overflow162" attack might do so by attempting to provide an excessively long value in a header. They can also use an excessively long header value to craft a complex "SQL Injection" attack. Because the user submitted multiple headers which exceeded the defined limit, the intentions of the user are more likely to be malicious. It is less likely that a poorly crafted browser plug-in would overflow multiple headers, despite the possibility that it might overflow a single one. Because there is a possibility that a legitimate user with a poorly-written browser plugin can cause a header of unusual length to be submitted, this incident cannot be guaranteed to be malicious from just a single case.

    Published: 2015-02-04