Our great sponsors
-
Filestash
đŸ¦„ A modern web client for SFTP, S3, FTP, WebDAV, Git, Minio, LDAP, CalDAV, CardDAV, Mysql, Backblaze, ...
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
big-list-of-naughty-strings
The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.
For those unwanted requests, I had some fun on my own servers sending back a selection of random response among which: a gzip bomb, an xml bomb, a redirect to localhost, redirect to their own public IP, sending back data whose content-length that don't match what they're actually getting and a bunch of other shenanigans. The code is available on github [1], I'm super keen to add a bunch of other fun payload if someone has some clever ideas
[1] https://github.com/mickael-kerjean/filestash/blob/master/ser...
(or run "cat" instead of cowsay to block their script)
- Pick a header, then insert one from [EICAR test string[2], \x00, \n] somewhere in the middle.
- Or just add a "Server:" header with a random line from the Big List of Naughty Strings[3].
- Redirect to a normal URL, but with a trailing dot in the domain name[4], like "example.com.". It's valid, but you'd be surprised how many things it breaks.
- Nested content encoding with "Content-Encoding: gzip, gzip, gzip, gzip, ...", with a randomly selected depth. Or where the n-1 payload is "WAZAAAA" instead of a valid gzip.
- "Content-Type: image/jpeg" and "Content‑Encoding: gzip" with a valid gzip body... But the ‑ in "Content‑Encoding" is U+2011 NON-BREAKING HYPHEN.
- Spin the wheel of HTTP status codes! res.WriteHeader(rand.Intn(1000))
- Infinite loop sending a 100 (Continue) every five seconds (they might have a timeout for the TCP and TLS handshakes, but did they remember to set a timeout for receiving the HTTP body?). Watch out for running out of connections.
[1] https://github.com/jwilk/url.sh
[2] https://en.wikipedia.org/wiki/EICAR_test_file
[3] https://github.com/minimaxir/big-list-of-naughty-strings
[4] https://en.wikipedia.org/wiki/Fully_qualified_domain_name
(or run "cat" instead of cowsay to block their script)
- Pick a header, then insert one from [EICAR test string[2], \x00, \n] somewhere in the middle.
- Or just add a "Server:" header with a random line from the Big List of Naughty Strings[3].
- Redirect to a normal URL, but with a trailing dot in the domain name[4], like "example.com.". It's valid, but you'd be surprised how many things it breaks.
- Nested content encoding with "Content-Encoding: gzip, gzip, gzip, gzip, ...", with a randomly selected depth. Or where the n-1 payload is "WAZAAAA" instead of a valid gzip.
- "Content-Type: image/jpeg" and "Content‑Encoding: gzip" with a valid gzip body... But the ‑ in "Content‑Encoding" is U+2011 NON-BREAKING HYPHEN.
- Spin the wheel of HTTP status codes! res.WriteHeader(rand.Intn(1000))
- Infinite loop sending a 100 (Continue) every five seconds (they might have a timeout for the TCP and TLS handshakes, but did they remember to set a timeout for receiving the HTTP body?). Watch out for running out of connections.
[1] https://github.com/jwilk/url.sh
[2] https://en.wikipedia.org/wiki/EICAR_test_file
[3] https://github.com/minimaxir/big-list-of-naughty-strings
[4] https://en.wikipedia.org/wiki/Fully_qualified_domain_name