Forum Discussion
dburnett_103851
Nimbostratus
NimbostratusMax No. of Headers
Just wondering what other ASM users have this set to in their HTTP Protocol Compliance settings.
The default value is 20 but I've started to notice requests from what look like mobile...
hoolio
Cirrostratus
CirrostratusOut of curiosity, what are the header names/values that the WAP clients send? I know some WAP devices have very very long Accept headers, but I haven't seen requests with a large number of headers.
I would guess the setting is there to protect apps that crash from parsing too many HTTP headers. Maybe someone from F5 would like to comment on this. Else, you could open a case with F5 Support. The only concrete vulnerability I could find on the internets is to an old Secunia alert:
http://secunia.com/advisories/12666/
Description:
Luigi Auriemma has reported a vulnerability in Icecast, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the parsing of HTTP headers. This can be exploited to cause a buffer overflow by supplying more than 31 headers in a HTTP request.
Successful exploitation allows execution of arbitrary code.
If you're seeing legitimate requests with more than 20 headers you can increase it to a level above the highest number of headers you've seen in a legal request, or you can disable the check. I suppose you could also use an iRule to remove request headers which the app doesn't use.
Aaron
