mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GITBOOK-4336: No subject
This commit is contained in:
parent
0c8c5b0ede
commit
62b192c217
1 changed files with 14 additions and 0 deletions
|
@ -210,6 +210,20 @@ True
|
|||
|
||||
### HTTP headers bypass abusing PHP errors
|
||||
|
||||
#### Causing error after setting headers
|
||||
|
||||
From [**this twitter thread**](https://twitter.com/pilvar222/status/1784618120902005070?t=xYn7KdyIvnNOlkVaGbgL6A\&s=19) you can see that sending more than 1000 GET params or 1000 POST params or 20 files, PHOP is not going to be setting headers in the response.
|
||||
|
||||
Allowing to bypass for example CSP headers being set in codes like:
|
||||
|
||||
```php
|
||||
<?php
|
||||
header("Content-Security-Policy: default-src 'none';");
|
||||
if (isset($_GET["xss"])) echo $_GET["xss"];
|
||||
```
|
||||
|
||||
#### Filling a body before setting headers
|
||||
|
||||
If a **PHP page is printing errors and echoing back some input provided by the user**, the user can make the PHP server print back some **content long enough** so when it tries to **add the headers** into the response the server will throw and error.\
|
||||
In the following scenario the **attacker made the server throw some big errors**, and as you can see in the screen when php tried to **modify the header information, it couldn't** (so for example the CSP header wasn't sent to the user):
|
||||
|
||||
|
|
Loading…
Reference in a new issue