We are developing a web application security scanner [1] and we indeed use max length setting and also detect binary responses, just tested this and as expected it worked fine.
I'm actually surprised that many other scanners failed to do this.
> Wouldn't all but the most naive scanners use time-out settings, maximum lengths on bytes read etc?
It wouldn't save a scanner from crashing to use a time-out or max read bytes. The defense can send the 100kb zipped data in a matter of seconds. The client then decompresses the zipped data which expands to gigabytes, causing crashes by out-of-memory.
fmavituna|8 years ago
I'm actually surprised that many other scanners failed to do this.
[1] https://www.netsparker.com
vgb2k11|8 years ago
It wouldn't save a scanner from crashing to use a time-out or max read bytes. The defense can send the 100kb zipped data in a matter of seconds. The client then decompresses the zipped data which expands to gigabytes, causing crashes by out-of-memory.
ilurkedhere|8 years ago