search

fullhunt / log4j-scan

A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228
MIT License
3.4k stars 741 forks source link

[Discussion]: Provide a 'headers-minimal.txt' file #83

Closed axel3rd closed 2 years ago

axel3rd commented 2 years ago

In usage of this (⭐ so nice ⭐) scanner, I remark that many security appliance (firewall, ...) refuse any requests which have more 50 headers.

So the 68 defaults headers of headers.txt (70 lines, but 1 blank line & double X-Api-Version)

I don't know if this value (50) is a ~default for many network security solutions, but having a headers-minimal.txt could be relevant.

It remains to find the ~20 headers which can be removed safely (which not reduce too much the surface attack).

mazen160 commented 2 years ago

Hi @axel3rd,

Thank you! This is an excellent idea, we should have a minimal version to help in targeted scans.