1

Concerning security; Should I check every page for how many variables are sent, the size of variables that has been sent and block GET if it is not needed in the page for example.

I mean maybe someone send very very large text for many many times as GET variables to overload my server.

Is it possible? what can I do about it?

omidh
  • 2,526
  • 2
  • 20
  • 37
  • why are you using `GET` to send huge data? – Keep Coding Mar 25 '15 at 12:20
  • @Testing No, I'm worried about hackers – omidh Mar 25 '15 at 12:20
  • 1
    well, you should consider using sessions and ip address and traffic to check how many and what type of calls a user is sending. Possibly you can control overload of data. But still you need to consider number of security factors. – Keep Coding Mar 25 '15 at 12:27
  • You got me thinking. I wonder what servers and languages may be vulnerable to `GET` requests containing a (massive) message body? – SilverlightFox Mar 26 '15 at 11:06

3 Answers3

1

My answer somewhat links your question to your comment:

No, I'm worried about hackers

Security wise I think the first thing you should check and optimize is the site structure. The problem you mentioned is very specific and to a certain degree may help, however probably won't be their primary attack.

You could always limit the GET requests (by default is somewhere around 8KB for most servers) somewhere in the server configs. You may also create a custom 414 explaining the reason for the shorter request length.

All in all, if it's security that you're aiming for, I'd start off elsewhere (the broader picture) and then slowly tackle my way until I hit the core.

Juxhin
  • 5,068
  • 8
  • 29
  • 55
1

Using GET request you can't send huge amount of data (Apache has a default of 8000 characters, check browser limitations here). And if you don't use anywhere $_GET parameters, than it will be mostly no impact for server. What matters here is requests per second. Normal user will not generate lots of request.
If you are looking for security holes, start from Uploaded files execution restrictions (like PHP code in image.jpg) and other insecure access to files, XSS attacks, weak passwords generation and so on.

Community
  • 1
  • 1
Justinas
  • 41,402
  • 5
  • 66
  • 96
  • 1
    Link in a couple OWASP articles so OP has reference to the type of attacks you've described, and you'll have yourself an upvote from me. – ʰᵈˑ Mar 25 '15 at 13:01
1

There was a big problem with how POST/GET values were handled in most languages, including PHP that could result in DOS attacks via specifically crafted requests. It was first discussed in this talk (slides are available here).

You can also read about it here and here. The main idea was that POST/GET are arrays, and that arrays are stored using hashtables. An attacker could create a DOS by purposefully creating collisions (data has same hash value), which results in a lot of computations.

But this isn't something that should be handled at application level, so you as a PHP coder do not have to worry about it. The problem described above is an issue of how PHP handles hashtables, but you can also prevent it by limiting the size of POST/GET requests in your PHP configuration.

If you are worried about DDoS, this also would not have to be handled by your application code, but externally, eg by a firewall.

tim
  • 1,999
  • 17
  • 32