Max No. of Headers

Out of curiosity, what are the header names/values that the WAP clients send? I know some WAP devices have very very long Accept headers, but I haven't seen requests with a large number of headers.

 

 

I would guess the setting is there to protect apps that crash from parsing too many HTTP headers. Maybe someone from F5 would like to comment on this. Else, you could open a case with F5 Support. The only concrete vulnerability I could find on the internets is to an old Secunia alert:

 

 

 

http://secunia.com/advisories/12666/

 

Description:

 

Luigi Auriemma has reported a vulnerability in Icecast, which can be exploited by malicious people to compromise a vulnerable system.

 

 

The vulnerability is caused due to a boundary error in the parsing of HTTP headers. This can be exploited to cause a buffer overflow by supplying more than 31 headers in a HTTP request.

 

 

Successful exploitation allows execution of arbitrary code.

 

 

 

 

If you're seeing legitimate requests with more than 20 headers you can increase it to a level above the highest number of headers you've seen in a legal request, or you can disable the check. I suppose you could also use an iRule to remove request headers which the app doesn't use.

 

 

Aaron

This is an example of one such request (sanitised a little) which seems to have come from a samsung mobile device and has 23 headers:

 

 

GET /home/_site/campaign/isa09/index.html HTTP/1.1

 

X-ICAP-Version: 1.0

 

Host: www.XXXXXXX.co.uk

 

Connection: keep-alive

 

Content-Length: 0

 

Cookie: TS4b6c63=b793df88d6d751a4f3d76bdc2324649738b61ea5845562c149b819e7; PD_STATEFUL_9bbcce68-1d01-11dd-b04f-c0a84102aa77=%2Feai;

 

Cache-Control: no-cache

 

Pragma: no-cache

 

Accept: application/vnd.wap.xhtml+xml, application/xhtml+xml, text/html, application/vnd.wap.wmlc, image/vnd.wap.wbmp, image/png, image/jpeg, image/gif, image/bmp, text/vnd.wap.wml, text/vnd.wap.wmlscript, application/vnd.oma.dd+xml, text/vnd.sun.j2me.app-descriptor, application/java-archive, application/vnd.wap.multipart.mixed, multipart/mixed, application/vnd.oma.drm.message, application/vnd.oma.drm.content, */*

 

Accept-Charset: utf-8;q=1.0,utf-16;q=1.0,iso-8859-1;q=0.6,*;q=0.1

 

Accept-Language: en

 

Referer: http://www.XXXXXXXX.co.uk/home/_site/channels/savings/tax-free-savings/fixed-rate-cash-isa/index.html

 

User-Agent: SAMSUNG-SGH-G600/G600ABHF1 NetFront/3.4 Profile/MIDP-2.0 Configuration/CLDC-1.1

 

x-wap-profile: "http://wap.samsungmobile.com/uaprof/SGH-G600.xml"

 

X-Nokia-RemoteSocket: 10.46.195.135:13848

 

X-Nokia-LocalSocket: 193.35.132.107:8080

 

X-Nokia-Gateway-Id: NBG/1.0.91/91

 

X-Nokia-BEARER: GPRS

 

X-Nokia-CONNECTION_MODE: TCP

 

Cookie2: $Version=1

 

X-Orange-ID: b2sjeqTnpjxP0JrtSMLmYw==

 

X-Forwarded-For: 10.46.195.135, 193.35.132.106

 

Via: 1.1, 1.1 bdp-proxy2 (NetCache NetApp/6.0.6P1)

The reason like Aaron mentioned is simply to prevent an application DOS/failure due to parsing many headers.

 

We believe that 20 is a good number for 80% of the apps..

 

Now, if we start to see that many customers share the same case, we would increase this default setting...

 

 

Cheers,

 

Ido