Major browsers are disabling the ability to disable HTML5 ping click tracking.
As a result, you’ll probably start encountering empty form posts with a content-type of "text/ping". If you are not expecting or do not need to receive ping requests to your web server, you can block them without wasting
any resources processing the request further. This is important because this feature has already been used to perform DDoS attacks:
Here's a basic ColdFusion script that will identify and block HTML5 Ping requests.
<!--- 20190627 | |
Block/Track Ping HTTP Requests using ColdFusion | |
GIST: https://gist.github.com/JamoCA/916dbb2d0ca0fe30ca63120bcaccc20f | |
BLOG: https://dev.to/gamesover/blocking-html5-ping-requests-using-coldfusion-4ei8 | |
If you are not expecting or do not need to receive ping requests to your web server, block any | |
web requests that contain "Ping-To" and/or "Ping-From" HTTP headers on the edge devices (Firewall, | |
WAF, etc.). If you can't do that, you can still detect it in ColdFusion and abort prior to wasting | |
any resources processing the request further. | |
More info: | |
https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ | |
https://www.imperva.com/blog/the-ping-is-the-thing-popular-html5-feature-used-to-trick-chinese-mobile-users-into-joining-latest-ddos-attack/ | |
https://hub.packtpub.com/chrome-safari-opera-and-edge-to-make-hyperlink-auditing-compulsorily-enabled/ | |
NOTE: It appears Brave, Dissenter & Firefox offer the ability to disable "ping" tracking. Chrome has removed the ability to disable it. | |
---> | |
<cfset Headers = GetHttpRequestData(false).headers> | |
<cfif StructKeyExists(Headers, "Content-Type") and Headers["Content-Type"] is "text/ping"> | |
<!--- Optional: log headers["ping-to"] and headers["ping-from"] ---> | |
<cfheader statuscode="204" statustext="No Content"> | |
<cfabort> | |
</cfif> |
Top comments (0)