[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
- To: Jann Horn <jann@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
- From: Jan Wrobel <wrr@xxxxxxxxxxxx>
- Date: Thu, 11 Apr 2013 21:26:26 +0200
On Thu, Apr 11, 2013 at 6:05 PM, Jann Horn <jann@xxxxxxxxx> wrote:
> On Thu, Apr 11, 2013 at 05:01:57PM +0200, Jan Wrobel wrote:
>> [...]
>
> CDNs could mitigate this by, instead of resetting connections with lots of
> headers,
> just reading all the cookies and throwing them into the bit bucket instead of
> keeping
> them in RAM, right? That way, there would still be the wasted bandwidth, but
> combined with the Google approach, it should work fine, right? If the client
> sends too
> many headers, just ignore everything until you reach \n\n, then send back the
> error
> script?
In my view a cookie reseting script is rather a last resort defense,
not a reliable mechanism to dependent upon. Sites that include
resources from a CDN rarely serve main or iframed HTML documents from
the CDN origin and this is required for the reseting script to work.
If such script was returned when a browser is expecting script, img,
css or other non-html sub-resource, it would not work.
Jan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/