Christopher, Am 30.10.18 um 18:30 schrieb Christopher Schultz:
> Has anyone ever attacked one of your web applications? There are some > fun ways to make an application use a huge amount of memory. Just > because the applications themselves are behaving doesn't mean that all > the users are behaving. > > For example, do you have a max POST size set for your application? If > not, I can send your login form a username that is so long it might > exhaust your heap. 2147483647 characters is a LOT of characters. > > If you have a max POST size, maybe you don't filter-out PUT requests, > and have Tomcat parsing those for you. Same problem, there. > > Just some thing to think about. Most web applications haven't really > been exercised by someone who knows what might break it. Can you > afford for those applications to take each other down because the JVM > becomes unstable? Maybe and maybe not. I have to assume that our applications are attacked, though so far at least we have no knowledge of serious incidences. The security measures taken in the individual applications vary with the security awareness of the programming team responsible (and, of course, the criticality of the application). We are working on increasing this awareness but this is a slow and ongoing process, and, of course, anyone really competent at hacking web applications usually finds jobs that are better paid than software development, so we, as mostly everyone else, will always lag behind. Anyway, thanks for the additional argument and for the hint regarding maxPostSize. This http://tomcat.apache.org/tomcat-8.5-doc/config/http.html, though, says, its set to 2097152 characters, which is still a lot of bytes and more than most applications need. I'll check, how we handle that :-) greetings, tarek --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
