Servers' URL and header size limits can be exploited to break redirect chains and steal session tokens via XSS, as demonstrated in a Salesforce E&E scenario with cross-brand access. The article presents attack scenarios and defenses like URL allowlists and strict limit handling to prevent token exposure #Salesforce #1-brand.com #2-brand.com #Gunicorn #NGINX #Apache #sessiontoken #redirect
Keypoints
- Servers have URL and header size limits that affect how requests are processed.
- 414 and 431 status codes can be exploited to escalate XSS and intercept tokens via redirect chains.
- Attack scenarios demonstrate breaking redirect flows by exceeding URL or Cookie header limits (e.g., 2002-char Salesforce URL limit, 8185-char Gunicorn header limit).
- Exploits can enable session token theft across brands under the same company via shared redirects.
- Defenses include strict URL allowlists, sensible limit handling, and redirect patterns that prevent token exposure.
Read More: https://castilho.sh/scream-until-escalates