DEV Community

James Moberg
James Moberg

Posted on

1 1

Blocking HTML5 Ping Requests using ColdFusion

Major browsers are disabling the ability to disable HTML5 ping click tracking.

As a result, you’ll probably start encountering empty form posts with a content-type of "text/ping". If you are not expecting or do not need to receive ping requests to your web server, you can block them without wasting
any resources processing the request further. This is important because this feature has already been used to perform DDoS attacks:

Here's a basic ColdFusion script that will identify and block HTML5 Ping requests.

<!--- 20190627
Block/Track Ping HTTP Requests using ColdFusion
GIST: https://gist.github.com/JamoCA/916dbb2d0ca0fe30ca63120bcaccc20f
BLOG: https://dev.to/gamesover/blocking-html5-ping-requests-using-coldfusion-4ei8
If you are not expecting or do not need to receive ping requests to your web server, block any
web requests that contain "Ping-To" and/or "Ping-From" HTTP headers on the edge devices (Firewall,
WAF, etc.). If you can't do that, you can still detect it in ColdFusion and abort prior to wasting
any resources processing the request further.
More info:
https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/
https://www.imperva.com/blog/the-ping-is-the-thing-popular-html5-feature-used-to-trick-chinese-mobile-users-into-joining-latest-ddos-attack/
https://hub.packtpub.com/chrome-safari-opera-and-edge-to-make-hyperlink-auditing-compulsorily-enabled/
NOTE: It appears Brave, Dissenter & Firefox offer the ability to disable "ping" tracking. Chrome has removed the ability to disable it.
--->
<cfset Headers = GetHttpRequestData(false).headers>
<cfif StructKeyExists(Headers, "Content-Type") and Headers["Content-Type"] is "text/ping">
<!--- Optional: log headers["ping-to"] and headers["ping-from"] --->
<cfheader statuscode="204" statustext="No Content">
<cfabort>
</cfif>

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs