The Wayback Machine - https://web.archive.org/web/20220305223947/https://github.com/opengs/uashield/issues/50
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add random string to attacked url to bypass caches #50

Open
mieszkomalawski opened this issue Mar 2, 2022 · 4 comments
Open

add random string to attacked url to bypass caches #50

mieszkomalawski opened this issue Mar 2, 2022 · 4 comments
Labels
enhancement good first issue

Comments

@mieszkomalawski
Copy link

@mieszkomalawski mieszkomalawski commented Mar 2, 2022

as in topic - this will increase load on target app
@furiosae
Copy link

@furiosae furiosae commented Mar 3, 2022

Are you thinking just a random query string or something appended to the end? (i.e. http://some.target/file.html?r=r4nD0mStr1nG)
@mieszkomalawski
Copy link
Author

@mieszkomalawski mieszkomalawski commented Mar 3, 2022

Are you thinking just a random query string or something appended to the end? (i.e. http://some.target/file.html?r=r4nD0mStr1nG)

Yes. Caches like eg. Varnish generate cache keys based on url so adding random query string would bypass cache
@Razikus
Copy link
Collaborator

@Razikus Razikus commented Mar 3, 2022

we must think about - cause it can goes in other direction
they will just ban requests with param on the sites where it should not have any params for example
@furiosae
Copy link

@furiosae furiosae commented Mar 3, 2022

we must think about - cause it can goes in other direction
they will just ban requests with param on the sites where it should not have any params for example

This is true. Perhaps we split the difference and also randomize when random params and values are added to the end of the URL?

I was also thinking about it earlier, we'd certainly want to randomize the query param name as well as the value--both length and string values.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement good first issue
3 participants
@Razikus @mieszkomalawski @furiosae