TIL you can crash a Tomcat request processing if the app reads request bodies using a reader() and you feed it a json body with an innocent nbsp :) the whole request processing just goes *pooooft*

reminds me of an ios bug which could brick the phone if it received an sms with weird chars.

These lynch-pin-bugs where a single byte/char in the right place at the right time can tear things down, are so subtle and fascinate me for some reason :)

  • 2
    Those are fun!
  • 0
    Or you just shoot it down with any arbitrary SAM
  • 1

    Many HTTP client lack a complete understanding of http headers.

    Be it the case insensitivity, the length, illegal chars, multiple headers with same name, ...

    HTTP headers are scary. Really... Really... Scary.
Add Comment