Is the ability to enter an unlimited number of characters (for example, in a search field) on a website a vulnerability?

D

Dauren2014-10-10 17:13:17

DDoS Protection

Dauren, 2014-10-10 17:13:17

Good afternoon.
I heard that if the website does not restrict data entry fields (i.e., allows you to enter as many characters as you like, for example, in the search bar, which leads to a 403 or 500 error), then this can be used by attackers (for example, during a ddos attack).
can anyone advise on this matter?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

tzlom, 2015-02-15
@tzlom

There are two vectors in such an attack:
- incorrect processing of a large field in the backend (for example, it is artificially assumed that the field is no longer than a certain value, or it is cut off in an unacceptable way when added to the database), then this is a backend problem and it needs to be treated there
- buffer overflow attack on the server , then your server must either be ready to accept a large amount of data or refuse to process a large request. By default, nginx and apache have limits on incoming requests, in general, this is enough, in these limits it is known that they do not fall and withstand a large number of requests.
As you can see, everything depends on your server and it doesn't matter whether you forbid it on the page or not.
The point is that all the bans on the page will not interfere with the attacker, because. it has no problem to form a request without the participation of the browser.