* Stuart Henderson <stu@spacehopper.org> le [29-01-2018 08:14:03 +0000]:
> On 2018-01-28, Thuban <thuban@yeuxdelibad.net> wrote:
> >
> >> Yes it's possible. Make sure to set the appriopriate HTTP headers aswell
> >> with relayd: read "Accept-Encoding" and if it's acceptable set
> >> "Content-Encoding".
> >
> > Indeed, it works.
> >
> > relayd.conf :
> >
> > match response header "Accept-Encoding" value "gzip"
> > match response header set "Content-Encoding" value "gzip"
> >
> > Then :
> >
> > cd /var/www/htdocs/site
> > gzip style.css && mv style.css.gz style.css
> >
> > Now, open URL pointing to style.css, and here you go.
> >
> > However, all your files must be gzipped, or the browser is unhappy.
> >
> > Thanks a lot.
> >
> >
>
> Fun hack, but it's going to break for a browser that doesn't support gzip.
> Also it's a nice trap for the next admin that comes along (which may be your
> future self :)
The fun part comes when you trap script kiddies with gzip bomb:
- Create a bomb : `dd if=/dev/zero bs=1M count=10240 | gzip > surprise.html`
(yeah, this is not html, but bots don't care)
- In html code, put something like
<a rel="nofollow" style="display:none;" href="surprise.html">Do NOT follow this link or you will have problems!</a>
- In relayd.conf :
match request header "Accept-Encoding" value "gzip"
match request path "/surprise.html"
match response header set "Content-Encoding" value "gzip"
A bot fetching "surprise.html" will see CPU usage increasing, too bad...
Regards.
No comments:
Post a Comment