Too big header x-device-info Topic is solved

[ksetmb]

When I try to login on some site, I have 400 error "Size of a request header field exceeds server limit". In request x-device-info header have 10248 symbol. How can I block this? This problem only on Palemoon. My current version 33.8.1.2

[ksetmb]

There is x-device-info header decoded value:

{"permissions":{},"mimeTypes":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"":{},"application/java-deployment-toolkit":{},"application/pdf":{},"application/vnd.adobe.pdfxml":{},"application/vnd.adobe.x-mars":{},"application/vnd.adobe.xdp+xml":{},"application/vnd.adobe.xfd+xml":{},"application/vnd.adobe.xfdf":{},"application/vnd.fdf":{},"application/x-java-applet":{},"application/x-java-applet;deploy=11.461.0":{},"application/x-java-applet;jpi-version=1.8.0_461":{},"application/x-java-applet;version=1.1":{},"application/x-java-applet;version=1.1.1":{},"application/x-java-applet;version=1.1.2":{},"application/x-java-applet;version=1.1.3":{},"application/x-java-applet;version=1.2":{},"application/x-java-applet;version=1.2.1":{},"application/x-java-applet;version=1.2.2":{},"application/x-java-applet;version=1.3":{},"application/x-java-applet;version=1.3.1":{},"application/x-java-applet;version=1.4":{},"application/x-java-applet;version=1.4.1":{},"application/x-java-applet;version=1.4.2":{},"application/x-java-applet;version=1.5":{},"application/x-java-applet;version=1.6":{},"application/x-java-applet;version=1.7":{},"application/x-java-applet;version=1.8":{},"application/x-java-bean":{},"application/x-java-bean;jpi-version=1.8.0_461":{},"application/x-java-bean;version=1.1":{},"application/x-java-bean;version=1.1.1":{},"application/x-java-bean;version=1.1.2":{},"application/x-java-bean;version=1.1.3":{},"application/x-java-bean;version=1.2":{},"application/x-java-bean;version=1.2.1":{},"application/x-java-bean;version=1.2.2":{},"application/x-java-bean;version=1.3":{},"application/x-java-bean;version=1.3.1":{},"application/x-java-bean;version=1.4":{},"application/x-java-bean;version=1.4.1":{},"application/x-java-bean;version=1.4.2":{},"application/x-java-bean;version=1.5":{},"application/x-java-bean;version=1.6":{},"application/x-java-bean;version=1.7":{},"application/x-java-bean;version=1.8":{},"application/x-java-vm":{},"application/x-java-vm-npruntime":{}},"plugins":{"0":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{},"application/pdf":{},"application/vnd.adobe.pdfxml":{},"application/vnd.adobe.x-mars":{},"application/vnd.fdf":{},"application/vnd.adobe.xfdf":{},"application/vnd.adobe.xdp+xml":{},"application/vnd.adobe.xfd+xml":{}},"1":{"0":{},"application/java-deployment-toolkit":{}},"2":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"application/x-java-applet":{},"application/x-java-bean":{},"application/x-java-vm":{},"application/x-java-applet;version=1.1.1":{},"application/x-java-bean;version=1.1.1":{},"application/x-java-applet;version=1.1":{},"application/x-java-bean;version=1.1":{},"application/x-java-applet;version=1.2":{},"application/x-java-bean;version=1.2":{},"application/x-java-applet;version=1.1.3":{},"application/x-java-bean;version=1.1.3":{},"application/x-java-applet;version=1.1.2":{},"application/x-java-bean;version=1.1.2":{},"application/x-java-applet;version=1.3":{},"application/x-java-bean;version=1.3":{},"application/x-java-applet;version=1.2.2":{},"application/x-java-bean;version=1.2.2":{},"application/x-java-applet;version=1.2.1":{},"application/x-java-bean;version=1.2.1":{},"application/x-java-applet;version=1.3.1":{},"application/x-java-bean;version=1.3.1":{},"application/x-java-applet;version=1.4":{},"application/x-java-bean;version=1.4":{},"application/x-java-applet;version=1.4.1":{},"application/x-java-bean;version=1.4.1":{},"application/x-java-applet;version=1.4.2":{},"application/x-java-bean;version=1.4.2":{},"application/x-java-applet;version=1.5":{},"application/x-java-bean;version=1.5":{},"application/x-java-applet;version=1.6":{},"application/x-java-bean;version=1.6":{},"application/x-java-applet;version=1.7":{},"application/x-java-bean;version=1.7":{},"application/x-java-applet;version=1.8":{},"application/x-java-bean;version=1.8":{},"application/x-java-applet;jpi-version=1.8.0_461":{},"application/x-java-bean;jpi-version=1.8.0_461":{},"application/x-java-vm-npruntime":{},"application/x-java-applet;deploy=11.461.0":{},"":{}},"Adobe Acrobat":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{},"application/pdf":{},"application/vnd.adobe.pdfxml":{},"application/vnd.adobe.x-mars":{},"application/vnd.fdf":{},"application/vnd.adobe.xfdf":{},"application/vnd.adobe.xdp+xml":{},"application/vnd.adobe.xfd+xml":{}},"Java Deployment Toolkit 8.0.4610.11":{"0":{},"application/java-deployment-toolkit":{}},"Java(TM) Platform SE 8 U461":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"application/x-java-applet":{},"application/x-java-bean":{},"application/x-java-vm":{},"application/x-java-applet;version=1.1.1":{},"application/x-java-bean;version=1.1.1":{},"application/x-java-applet;version=1.1":{},"application/x-java-bean;version=1.1":{},"application/x-java-applet;version=1.2":{},"application/x-java-bean;version=1.2":{},"application/x-java-applet;version=1.1.3":{},"application/x-java-bean;version=1.1.3":{},"application/x-java-applet;version=1.1.2":{},"application/x-java-bean;version=1.1.2":{},"application/x-java-applet;version=1.3":{},"application/x-java-bean;version=1.3":{},"application/x-java-applet;version=1.2.2":{},"application/x-java-bean;version=1.2.2":{},"application/x-java-applet;version=1.2.1":{},"application/x-java-bean;version=1.2.1":{},"application/x-java-applet;version=1.3.1":{},"application/x-java-bean;version=1.3.1":{},"application/x-java-applet;version=1.4":{},"application/x-java-bean;version=1.4":{},"application/x-java-applet;version=1.4.1":{},"application/x-java-bean;version=1.4.1":{},"application/x-java-applet;version=1.4.2":{},"application/x-java-bean;version=1.4.2":{},"application/x-java-applet;version=1.5":{},"application/x-java-bean;version=1.5":{},"application/x-java-applet;version=1.6":{},"application/x-java-bean;version=1.6":{},"application/x-java-applet;version=1.7":{},"application/x-java-bean;version=1.7":{},"application/x-java-applet;version=1.8":{},"application/x-java-bean;version=1.8":{},"application/x-java-applet;jpi-version=1.8.0_461":{},"application/x-java-bean;jpi-version=1.8.0_461":{},"application/x-java-vm-npruntime":{},"application/x-java-applet;deploy=11.461.0":{},"":{}}},"maxTouchPoints":0,"oscpu":"Windows NT 10.0; WOW64","vendor":"","vendorSub":"","productSub":"20100101","cookieEnabled":true,"buildID":"201609292785143","clipboard":{},"webdriver":false,"hardwareConcurrency":12,"globalPrivacyControl":false,"appCodeName":"Mozilla","appName":"Netscape","appVersion":"5.0 (Windows)","platform":"Win32","userAgent":" Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36","product":"Gecko","language":"ru-RU","languages":["ru-RU","ru","en-US","en"],"onLine":true,"client-ip":null,"geolocation":{"available":false},"authCookie":"*******************************************************************************"}

[Moonchild]

Which site is this?

[ksetmb]

Which site is this?

https://auth.avangard.ru/

[Moonchild]

Thanks.
I checked and this is webmaster error. They are enumerating whatever they can record of your browser (enumerating the entirety of window.navigator) and shoving it all (and more) into a header, which overflows the allowed space for HTTP header values on the receiving server end. So they are both requesting too much data, and then not allowing all that data to be received on the server end.

None of this should be collected at time of login, to begin with. In addition, they are stuffing authentication cookies into an unprotected http header as well (they are adding cookie information inside the x-device-info) which makes for the site to potentially be subject to replay attacks if intercepted. The "device info" header will contain and include login/account-specific data in addition to "device" data. This is super risky. If this "device info" ends up in a statistical database that isn't as-protected as account data then this is a breach waiting to happen. You were smart masking the auth cookie data yourself in your report here -- I never expected that to be part of device info, and it shouldn't be.

I'd complain to your bank about this. They need to only collect whatever device information they explicitly need for a browser check, and not include account-private data or other irrelevant data.

Code: Select all

    $.ajax({
        type: 'POST',
        url: '/REST/client4/afterLogin',
        dataType: 'html',
        data: {
            login: login_v_elem.value,
            passwd: passwd_v_elem.value,
            fl: isFl ? '1' : null
        },
        beforeSend: function(xhr) { //сбор инфы
            //сбор информации
            try {
                const navigatorObj = window.navigator;

                let data = {
                };

                for (var property in navigatorObj) {
                    data[property] = navigatorObj[property];
                }

                data['client-ip'] = clientIp;
                data['geolocation'] = clientGeo;
                data['authCookie'] = authCookie;

                xhr.setRequestHeader('x-auth-cookie', authCookie);
                xhr.setRequestHeader('x-client-ip', clientIp);
                xhr.setRequestHeader('x-device-info', window.btoa(JSON.stringify(data)));
                xhr.setRequestHeader('x-fns-id', getCookie("fnsId"));
            } catch (e) {
            }
        },

[ksetmb]

I checked and this is webmaster error.

Thank you for your detailed answer!