Bugtraq: Re: blocking gzip encoded files

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: blocking gzip encoded files

From: mgotts () 2roads com
Date: Mon, 23 Feb 2004 18:01:59 -0800

Darwin Mecham <darwin () cissp com> wrote on 02/23/2004 02:38:39 PM:

It has recently come to my attention that most browsers happily
do Accept-encoding: gzip and streaming decompression of
HTML data received with Content-encoding: gzip
 without asking.

This has been in use since sometime in 1998.

Is there a way to configure the run-of-the-mill browser to
block these at the host level ?


I don't know of a browser setting to enable/disable it. But you can use 
something like Proxomitron to do it (http://www.proxomitron.info/). The 
gzip setting is one of the "Headers" settings and is called "
Accept-encoding: Allow webpage encoding (out)". Disable this to prevent 
gzip encoding from being used. I've done so in the past, and it does 
indeed work as advertised.

Proxomitron does *MUCH* more than this, if you are not yet familiar with 
it.

-- Mark

By Date By Thread

Current thread:

Re: Windows XP explorer.exe heap overflow., (continued)
- Re: Windows XP explorer.exe heap overflow. Tim (Feb 24)
- Re: Windows XP explorer.exe heap overflow. Chris Calabrese (Feb 23)
  - blocking gzip encoded files Darwin Mecham (Feb 23)
    - Re: blocking gzip encoded files mgotts (Feb 24)
    - Re: blocking gzip encoded files Josep L. Guallar-Esteve (Feb 24)
- RE: Windows XP explorer.exe heap overflow. Michael Wojcik (Feb 23)