RE: Transfer-Encoding and XSS

Anecdotally, I’ve never seen a browser itself specify a Transfer-Encoding on a *request*.

The use of Content-Encoding: gzip on certain uploads has been proposed at various points (and possible via e.g. Flash, IIRC) but it suffers from the general challenge that there’s no good way to understand whether the server will accept such encoding (and protect itself from Zip bombs attacks, etc).

From: Ricardo Iramar dos Santos <>
Sent: Monday, September 17, 2018 11:16 AM
To: WebAppSec WG <>
Subject: Transfer-Encoding and XSS

Hi All,

I know Transfer-Encoding request header per specification (xmlhttprequest and fetch) cannot be defined by the user so I'm trying to check when the browsers use it. I've already google it but I couldn't find something really clear.
What I'm trying to achieve is check if it's possible to an attacker exploit a XSS using a cross domain request take advantage of this PHP issue<>. Basically what happens is if a Apache+PHP server receive a POST request with "Transfer-Encoding: chunked" header the request body is reflected on the response body.

Ricardo Iramar

Received on Tuesday, 25 September 2018 14:42:34 UTC