compound icon indicating copy to clipboard operation
compound copied to clipboard
verified publisher icon 1602

Possible Security Threat

Open longle255 opened this issue 12 years ago • 4 comments

I'm running a compound server which has just got a request like this [tiniweb-0 (out) 2014-01-09T18:22:36] GET http://www.soso.com/ controller: web/home action: index

Normally the controller: web/home action: index is set for the route '/',

Anyone know how is it possible to create a request like that? and how to prevent that type of request?

Thanks for you input

longle255 avatar Jan 09 '14 13:01 longle255

Could you please clarify what you mean? What do you want to prevent? What is wrong with your output? What is desired effect?

1602 avatar Jan 09 '14 13:01 1602

This is my route

module.exports.routes = function(map) {
  map.get('/', 'web/home#index');
}

What I'm expecting here is the action index of controller web/home will serve the rout /

Base on that route the server will not serve the request GET http://www.soso.com/ and a result of 404 will be returned.

However the log shows that the request GET http://www.soso.com/ is accepted and being served by action index of controller web/home that lead to an unexpected result.

So my question here is how to prevent that type of request.

longle255 avatar Jan 09 '14 13:01 longle255

Unable to reproduce.

On Thu, Jan 9, 2014 at 1:38 PM, Long Hoang Le [email protected]:

This is my route

module.exports.routes = function(map) { map.get('/', 'web/home#index'); }

What I'm expecting here is the action index of controller web/home will serve the rout /

Base on that route the server will not serve the request GET http://www.soso.com/ and a result of 404 will be returned.

However the log shows that the request GET http://www.soso.com/ is accepted and being served by action index of controller web/home that lead to an unexpected result.

So my question here is how to prevent that type of request.

— Reply to this email directly or view it on GitHubhttps://github.com/1602/compound/issues/597#issuecomment-31931271 .

anatoliychakkaev avatar Jan 09 '14 14:01 anatoliychakkaev

I can't either. That issue happened on production environment. After doing some searching on the internet I found this https://www.gpf-comics.com/dnsbl/index.php?ip=125.18.240.104 which points out

Additional Comments: Attack begins with what appears to be a simple proxy attempt to an external site, but subsequent requests repeatedly concatenate the previous request URLs until this quickly becomes an overflow attack. 40+ attempts, no legitimate requests. Indian IP listed at StopForumSpam.com, BotScout.com, Project Honey Pot (comment spammer).

125.18.240.104 - - [18/Dec/2013:07:45:28 +0000] "GET http://www.soso.com/ HTTP/1.1" 301 - "http://www.soso.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

125.18.240.104 - - [18/Dec/2013:07:45:29 +0000] "GET http://www.soso.comhttp/www.soso.com/ HTTP/1.1" 301 - "http://www.soso.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

longle255 avatar Jan 09 '14 15:01 longle255