我刚刚在服务器日志中发现了一个异常,该异常似乎不是由使用我的 Java EE7 应用程序的员工触发的。这发生在 Wildfly-8.1.0.Final 安装上。
上面说对/manager/html/upload的异常处理请求:java.lang.IllegalStateException: UT000046: The number of cookies sent Been Beenleighed the Maximum of 200,但是日志说没有登录用户当时。而且甚至不存在资源/manager/html/upload。
我通过 sshd 注册了许多自动闯入尝试,这是否也是由机器人试图暴力破解可能的后端引起的?
这是否会影响正常的应用程序使用?有办法防止此类错误吗?
这是完整的堆栈跟踪:
2014-11-27 14:55:10,655 ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /manager/html/upload: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.jboss.weld.servlet.SessionHolder.requestInitialized(SessionHolder.java:47) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.servlet.HttpContextLifecycle.requestInitialized(HttpContextLifecycle.java:168) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.servlet.WeldInitialListener.requestInitialized(WeldInitialListener.java:153) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at io.undertow.servlet.core.ApplicationListeners.requestInitialized(ApplicationListeners.java:216) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:239) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
2014-11-27 14:55:10,663 ERROR [io.undertow.request] (default task-9) UT005022: Exception generating error page /errors/error.xhtml: java.lang.RuntimeException: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.omnifaces.filter.HttpFilter.doFilter(HttpFilter.java:76) [omnifaces-1.8.1.jar:1.8.1-20140603]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
... 10 more
2014-11-27 14:55:10,673 ERROR [io.undertow.servlet.request] (default task-9) UT015005: Error invoking method requestDestroyed on listener class org.jboss.weld.servlet.WeldInitialListener: java.lang.NullPointerException
at org.jboss.weld.context.AbstractBoundContext.deactivate(AbstractBoundContext.java:71) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.context.http.HttpRequestContextImpl.deactivate(HttpRequestContextImpl.java:70) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.servlet.HttpContextLifecycle.requestDestroyed(HttpContextLifecycle.java:225) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.servlet.WeldInitialListener.requestDestroyed(WeldInitialListener.java:136) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at io.undertow.servlet.core.ApplicationListeners.requestDestroyed(ApplicationListeners.java:225) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:283) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
2014-11-27 14:55:10,674 ERROR [io.undertow.request] (default task-9) Blocking request failed HttpServerExchange{ GET /errors/error.xhtml}: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
at io.undertow.util.Cookies.createCookie(Cookies.java:285)
at io.undertow.util.Cookies.parseCookie(Cookies.java:221)
at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181)
at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003)
at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83)
at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58)
at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142)
at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677)
at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:707)
at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:711)
at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:522)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:287)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
最佳答案
再次回顾这一点,我发现,这似乎确实是一种安全措施。
起初我以为 undertow 无法在特定时间范围内仅生成有限数量的 cookie,但事实不应该如此。如果攻击者试图通过随请求发送大量 cookie 来攻击您的 Web 服务器,则会引发此异常,可能会导致缓冲区溢出。
这是 source 的一部分,我从那里得到了这个想法,以防链接失效:
Too Many Cookies in Request
Detailed Description
Each HTTP request may contain cookies. These cookies contain additional attributes of the user sending the request, such as personalized information, a session identifier, etc. As cookies are set by the server and not by the client, the number of cookies is usually static for each application.
What Does It Mean?
There are two main scenarios in which an attacker may want to send a request containing many cookies. One scenario is an attempt to send large amounts of cookie data, which may cause the parsing mechanism to fail. The other scenario in which an attacker will inject additional cookies is an attempt to fool security components which rely on cookie data.
Possible Attacks
The most likely attack related to this violation is a Buffer Overflow attack against the web server parsing mechanism or against the application handling the cookies. It may also relate to various Denial of Service attacks, as well as to circumvention of security mechanisms.
Detection of Attacks
A single instance of this violation indicates that an attacker tried sending a request containing too many cookies. Users cannot accidentally create additional cookies.
Detection of False Positives
Some applications may actually use a large number of cookies. This may be the result of storing many variables on the client side through cookies, or as a result of using dynamically generated cookies which are replaced constantly throughout a session, without properly erasing expired ones.
关于jakarta-ee - Undertow:发送的cookie数量超过最大200,可能是服务器攻击?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/27178887/