-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tarek,
On 10/31/18 03:19, Ahmed, Tarek wrote: > Christopher, > > Am 30.10.18 um 18:30 schrieb Christopher Schultz: > >> Has anyone ever attacked one of your web applications? There are >> some fun ways to make an application use a huge amount of memory. >> Just because the applications themselves are behaving doesn't >> mean that all the users are behaving. >> >> For example, do you have a max POST size set for your >> application? If not, I can send your login form a username that >> is so long it might exhaust your heap. 2147483647 characters is a >> LOT of characters. >> >> If you have a max POST size, maybe you don't filter-out PUT >> requests, and have Tomcat parsing those for you. Same problem, >> there. >> >> Just some thing to think about. Most web applications haven't >> really been exercised by someone who knows what might break it. >> Can you afford for those applications to take each other down >> because the JVM becomes unstable? Maybe and maybe not. > > I have to assume that our applications are attacked, though so far > at least we have no knowledge of serious incidences. The security > measures taken in the individual applications vary with the > security awareness of the programming team responsible (and, of > course, the criticality of the application). > > We are working on increasing this awareness but this is a slow and > ongoing process, and, of course, anyone really competent at hacking > web applications usually finds jobs that are better paid than > software development, so we, as mostly everyone else, will always > lag behind. > > Anyway, thanks for the additional argument and for the hint > regarding maxPostSize. This > http://tomcat.apache.org/tomcat-8.5-doc/config/http.html, though, > says, its set to 2097152 characters, which is still a lot of bytes > and more than most applications need. I'll check, how we handle > that :-) Exactly. 2MiB times the number of allowable connections, which is something like 10k by default. How big is your heap? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvZyTIACgkQHPApP6U8 pFjphQ//fHhs5fmhebqlOp0mebjq78nXTvjf8ZnLeldulwjJdFzBfk8ySikfZxhD H/vdq+jwuTRfONNfki60ZN9GGBKUXfzHN4Tagv6xdazWDcVhIi05S56/17BYmToC WdhD0ujPJTvdqIhMsSMFYItkW6jZZsIfi40SZ2+61mUdXcZANkONT1aWBoUgbbKu PphKdkrUjpJVrUZVtgSGCoaQZjxBTjPqjlAKgfObExJuYcdwwMUZDU2n5ewLGnS4 sNLQi4/P5bnrDdyJkiXwHNMVAadv9vb4nvAygVYxXcxWPCNnJIo2h6qstO/NejJP VhtApXfwNW0xPKwVo2wMr5YIRwdzfPTi+mEco6JRSEmAWp2b1vi+XMb2K3worbT1 3KNdzOo52P7oJUVptUA7x4BFfdtXQiOx/zbzOjZTuoQmATIAobIFI2KZDe2fp7dk UYUGR3G86qhL0XkRghr/52TbQ3+0/X8thmwaVa20xVEl//NtVY/ShLfbTjjgXf+T 2Vm66Bq7AtOUnxB8J6zXZ1U3LddEMJAGqjJJcV+9lNC1SeScVJrUzeuUUm9SfYYF dSBLnoQopirjIx7YfZf7+ZcLiX0zmYl+hlDK5CIJ226ry6p4XaGO8nALhHvBRvV0 E4ZpSBDiRf9FqxP+lAryl6bYf4aEIsyop4+p+94JOy+0+8qsgmo= =iI4e -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
