WebApp Sec mailing list archives

Re: Dropping connection instead of returning 400

From: Michel Arboi <michel.arboi () gmail com>
Date: Fri, 4 Mar 2005 12:39:41 +0100

On Tue, 1 Mar 2005 20:59:37 -0800 (PST), christopher () baus net
<christopher () baus net> wrote:

One thing that keeps coming back to me is 400 Bad Request handling.  It is
now my opinion that security proxies should just drop connection when
faced with traffic they refuse to handle.


I cannot see any case where dropping the connection actually enhance
security. You'd better send back a 400 (bad request) or 403
(forbidden)  -- or even, in some specific cases 405 (method not
allowed), 406 (content not allowed).

http://www.baus.net/400-bad-request


I guess that some software might retry the request if the connection
is dropped. This is a waste of ressources.
You can send back a 400 with few information in the message.

By the way, I know that some software drop the connection in front of
a badly broken request. In fact, this helps fingerprinting (with
HMAP).

Current thread:

Dropping connection instead of returning 400 christopher (Mar 03)
- Re: Dropping connection instead of returning 400 Mariusz Pękala (Mar 06)
- Re: Dropping connection instead of returning 400 Michel Arboi (Mar 06)
- <Possible follow-ups>
- RE: Dropping connection instead of returning 400 Michael Silk (Mar 06)
- RE: Dropping connection instead of returning 400 christopher (Mar 06)
  - Re: Dropping connection instead of returning 400 Devdas Bhagat (Mar 09)
- Re: Dropping connection instead of returning 400 Garth Somerville (Mar 06)