Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Dropping connection instead of returning 400

from [christopher] Network Security [Permanent Link]
Subject: Dropping connection instead of returning 400
Date: Tue, 1 Mar 2005 20:59:37 -0800 (PST) 
I have an application proxy "under my pillow" so to speak.  I've built it
from the ground up over the past couple years with security in mind.  It
has been a long and tedious task, but I think my efforts are finally
starting to pay off.

One thing that keeps coming back to me is 400 Bad Request handling.  It is
now my opinion that security proxies should just drop connection when
faced with traffic they refuse to handle.

I put some thoughts on this on my blog here:

http://www.baus.net/400-bad-request

Which cause one client developer to call me a non-compliant wanker here:

http://www.mackmo.com/nick/blog/java/?permalink=Please_send_400_Bad_Request_and_.txt

I then followed up with the general thought that I'm willing to be
non-compliant in the name of security:

http://www.baus.net/breaking-the-spec-in-the-name-of-security

So what do you think?  Is security worth non-compliance with the HTTP spec?

Christopher Baus
========
Implementing an HTTP proxy?
Consider a fast, secure alternative
http://www.baus.net/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ISA Server and SQL Injection, christopher
Next by Date:  Re: Preventing direct URL access in a J2EE environment, Saqib Ali
Previous by Thread:  Boston OWASP Chapter, Weiler, Jim
Next by Thread:  Re: Dropping connection instead of returning 400, Mariusz Pękala
Indexes:  [Date] [Thread] [Top] [All Lists]