Undertow:发送的cookie数量超过最大值200,可能是服务器攻击?

时间:2014-11-27 21:30:28

标签: java-ee cookies wildfly undertow

我刚刚在我的服务器日志中发现一个例外情况,似乎不是由使用我的Java EE7应用的员工触发的。这发生在Wildfly-8.1.0.Final安装上 它说Exception handling request to /manager/html/upload: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200,但日志说当时没有登录用户。此外,甚至不存在资源/manager/html/upload

我通过sshd注册了许多自动闯入尝试,这是否也可能是因为机器人试图暴力破坏可能的后端?

这是否会影响正常的应用程序使用,是否有办法防止此类错误?

这是完整的堆栈跟踪:

2014-11-27 14:55:10,655 ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /manager/html/upload: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.jboss.weld.servlet.SessionHolder.requestInitialized(SessionHolder.java:47) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.HttpContextLifecycle.requestInitialized(HttpContextLifecycle.java:168) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.WeldInitialListener.requestInitialized(WeldInitialListener.java:153) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at io.undertow.servlet.core.ApplicationListeners.requestInitialized(ApplicationListeners.java:216) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:239) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

2014-11-27 14:55:10,663 ERROR [io.undertow.request] (default task-9) UT005022: Exception generating error page /errors/error.xhtml: java.lang.RuntimeException: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.omnifaces.filter.HttpFilter.doFilter(HttpFilter.java:76) [omnifaces-1.8.1.jar:1.8.1-20140603]
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    ... 10 more

2014-11-27 14:55:10,673 ERROR [io.undertow.servlet.request] (default task-9) UT015005: Error invoking method requestDestroyed on listener class org.jboss.weld.servlet.WeldInitialListener: java.lang.NullPointerException
    at org.jboss.weld.context.AbstractBoundContext.deactivate(AbstractBoundContext.java:71) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.context.http.HttpRequestContextImpl.deactivate(HttpRequestContextImpl.java:70) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.HttpContextLifecycle.requestDestroyed(HttpContextLifecycle.java:225) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.WeldInitialListener.requestDestroyed(WeldInitialListener.java:136) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at io.undertow.servlet.core.ApplicationListeners.requestDestroyed(ApplicationListeners.java:225) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:283) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

2014-11-27 14:55:10,674 ERROR [io.undertow.request] (default task-9) Blocking request failed HttpServerExchange{ GET /errors/error.xhtml}: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285)
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221)
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181)
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003)
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83)
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58)
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142)
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677)
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:707)
    at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:711)
    at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:522)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:287)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

1 个答案:

答案 0 :(得分:1)

再次重新审视这一点,我发现,它似乎是一种确定的安全措施

起初我认为,在特定的时间范围内,只能生成有限数量的cookie,但情况并非如此。如果攻击者试图通过向请求发送大量cookie来攻击您的Web服务器,则会抛出此异常,可能导致缓冲区溢出。

这是source的一部分,我从中得到了这个想法,万一链接将会死亡:

  

请求中的Cookie太多

     

详细说明

     

每个HTTP请求可能包含cookie。这些cookie包含发送请求的用户的其他属性,例如个性化信息,会话标识符等。由于cookie是由服务器而不是客户端设置的,因此每个应用程序的cookie数通常是静态的。

     

这是什么意思?

     

攻击者可能希望发送包含许多Cookie的请求的主要方案有两种。一种情况是尝试发送大量cookie数据,这可能导致解析机制失败。攻击者注入额外cookie的另一种情况是试图欺骗依赖cookie数据的安全组件。

     

可能的攻击

     

与此违规相关的最可能的攻击是针对Web服务器解析机制或针对处理cookie的应用程序的缓冲区溢出攻击。它还可能涉及各种拒绝服务攻击,以及规避安全机制。

     

攻击检测

     

此违规的单个实例表示攻击者尝试发送包含过多Cookie的请求。用户不会意外地创建其他cookie。

     

误报的检测

     

某些应用程序实际上可能会使用大量Cookie。这可能是因为在客户端通过cookie存储了许多变量,或者是因为使用了动态生成的cookie,这些cookie在整个会话期间不断被替换,而没有正确地删除过期的。

相关问题
最新问题