WebApp Sec mailing list archives
Re: Dropping connection instead of returning 400
From: Michel Arboi <michel.arboi () gmail com>
Date: Fri, 4 Mar 2005 12:39:41 +0100
On Tue, 1 Mar 2005 20:59:37 -0800 (PST), christopher () baus net <christopher () baus net> wrote:
One thing that keeps coming back to me is 400 Bad Request handling. It is now my opinion that security proxies should just drop connection when faced with traffic they refuse to handle.
I cannot see any case where dropping the connection actually enhance security. You'd better send back a 400 (bad request) or 403 (forbidden) -- or even, in some specific cases 405 (method not allowed), 406 (content not allowed).
http://www.baus.net/400-bad-request
I guess that some software might retry the request if the connection is dropped. This is a waste of ressources. You can send back a 400 with few information in the message. By the way, I know that some software drop the connection in front of a badly broken request. In fact, this helps fingerprinting (with HMAP).
Current thread:
- Dropping connection instead of returning 400 christopher (Mar 03)
- Re: Dropping connection instead of returning 400 Mariusz Pękala (Mar 06)
- Re: Dropping connection instead of returning 400 Michel Arboi (Mar 06)
- <Possible follow-ups>
- RE: Dropping connection instead of returning 400 Michael Silk (Mar 06)
- RE: Dropping connection instead of returning 400 christopher (Mar 06)
- Re: Dropping connection instead of returning 400 Devdas Bhagat (Mar 09)
- Re: Dropping connection instead of returning 400 Garth Somerville (Mar 06)