TechQA.

Undertow: The number of cookies sent exceeded the maximum of 200, possible server attack?

2.1k views Asked by At

I just found an exception in my server logs that doesn't seem to be triggered by the employees who use my Java EE7 app. This happened on an Wildfly-8.1.0.Final installation.
It said Exception handling request to /manager/html/upload: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200, but the logs said that there were no logged in users at the time. Also there doesn't even exist a resource /manager/html/upload.

I register many automated break-in attempts via sshd, could this also be caused by a bot trying to brute force a possible backend?

Does this affect normal application usage and is there a way to prevent such errors?

Here is the full stacktrace:

2014-11-27 14:55:10,655 ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /manager/html/upload: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.jboss.weld.servlet.SessionHolder.requestInitialized(SessionHolder.java:47) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.HttpContextLifecycle.requestInitialized(HttpContextLifecycle.java:168) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.WeldInitialListener.requestInitialized(WeldInitialListener.java:153) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at io.undertow.servlet.core.ApplicationListeners.requestInitialized(ApplicationListeners.java:216) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:239) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

2014-11-27 14:55:10,663 ERROR [io.undertow.request] (default task-9) UT005022: Exception generating error page /errors/error.xhtml: java.lang.RuntimeException: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.omnifaces.filter.HttpFilter.doFilter(HttpFilter.java:76) [omnifaces-1.8.1.jar:1.8.1-20140603]
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    ... 10 more

2014-11-27 14:55:10,673 ERROR [io.undertow.servlet.request] (default task-9) UT015005: Error invoking method requestDestroyed on listener class org.jboss.weld.servlet.WeldInitialListener: java.lang.NullPointerException
    at org.jboss.weld.context.AbstractBoundContext.deactivate(AbstractBoundContext.java:71) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.context.http.HttpRequestContextImpl.deactivate(HttpRequestContextImpl.java:70) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.HttpContextLifecycle.requestDestroyed(HttpContextLifecycle.java:225) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.WeldInitialListener.requestDestroyed(WeldInitialListener.java:136) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at io.undertow.servlet.core.ApplicationListeners.requestDestroyed(ApplicationListeners.java:225) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:283) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

2014-11-27 14:55:10,674 ERROR [io.undertow.request] (default task-9) Blocking request failed HttpServerExchange{ GET /errors/error.xhtml}: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285)
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221)
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181)
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003)
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83)
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58)
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142)
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677)
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:707)
    at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:711)
    at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:522)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:287)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
jakarta-ee cookies wildfly undertow
Original Q&A
1

There are 1 answers

0
Zhedar On BEST ANSWER

Revisiting this again, I discovered, that it seems to be a security measure of undertow indeed.

At first I thought, undertow couldn't generate only a limited number of cookies in a specific timeframe, but that shouldn't be the case. This exception is thrown, if an attacker tries to attack your web server by sending a lot of cookies with the request, possible causing a Buffer Overflow.

Here's part of the source, where I got this idea from in case the link will be dead:

Too Many Cookies in Request

Detailed Description

Each HTTP request may contain cookies. These cookies contain additional attributes of the user sending the request, such as personalized information, a session identifier, etc. As cookies are set by the server and not by the client, the number of cookies is usually static for each application.

What Does It Mean?

There are two main scenarios in which an attacker may want to send a request containing many cookies. One scenario is an attempt to send large amounts of cookie data, which may cause the parsing mechanism to fail. The other scenario in which an attacker will inject additional cookies is an attempt to fool security components which rely on cookie data.

Possible Attacks

The most likely attack related to this violation is a Buffer Overflow attack against the web server parsing mechanism or against the application handling the cookies. It may also relate to various Denial of Service attacks, as well as to circumvention of security mechanisms.

Detection of Attacks

A single instance of this violation indicates that an attacker tried sending a request containing too many cookies. Users cannot accidentally create additional cookies.

Detection of False Positives

Some applications may actually use a large number of cookies. This may be the result of storing many variables on the client side through cookies, or as a result of using dynamically generated cookies which are replaced constantly throughout a session, without properly erasing expired ones.

Related Questions in JAKARTA-EE

Related Questions in COOKIES

Related Questions in WILDFLY

Related Questions in UNDERTOW

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions