From 62b192c21793b8426e9ace0ad5fc4436192f99fc Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Sun, 12 May 2024 19:49:11 +0000
Subject: [PATCH] GITBOOK-4336: No subject

---
 .../pentesting-web/php-tricks-esp/README.md        | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
index 340cc9151..6fb0ac368 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -210,6 +210,20 @@ True
 
 ### HTTP headers bypass abusing PHP errors
 
+#### Causing error after setting headers
+
+From [**this twitter thread**](https://twitter.com/pilvar222/status/1784618120902005070?t=xYn7KdyIvnNOlkVaGbgL6A\&s=19) you can see that sending more than 1000 GET params or 1000 POST params or 20 files, PHOP is not going to be setting headers in the response.
+
+Allowing to bypass for example CSP headers being set in codes like:
+
+```php
+<?php
+header("Content-Security-Policy: default-src 'none';");
+if (isset($_GET["xss"])) echo $_GET["xss"];
+```
+
+#### Filling a body before setting headers
+
 If a **PHP page is printing errors and echoing back some input provided by the user**, the user can make the PHP server print back some **content long enough** so when it tries to **add the headers** into the response the server will throw and error.\
 In the following scenario the **attacker made the server throw some big errors**, and as you can see in the screen when php tried to **modify the header information, it couldn't** (so for example the CSP header wasn't sent to the user):