GITBOOK-4336: No subject

carlospolop · gitbook-bot · commit 62b192c21793 · 2024-05-12T19:49:11.000Z
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -210,6 +210,20 @@ True
 
 ### HTTP headers bypass abusing PHP errors
 
+#### Causing error after setting headers
+
+From [**this twitter thread**](https://twitter.com/pilvar222/status/1784618120902005070?t=xYn7KdyIvnNOlkVaGbgL6A\&s=19) you can see that sending more than 1000 GET params or 1000 POST params or 20 files, PHOP is not going to be setting headers in the response.
+
+Allowing to bypass for example CSP headers being set in codes like:
+
+```php
+<?php
+header("Content-Security-Policy: default-src 'none';");
+if (isset($_GET["xss"])) echo $_GET["xss"];
+```
+
+#### Filling a body before setting headers
+
 If a **PHP page is printing errors and echoing back some input provided by the user**, the user can make the PHP server print back some **content long enough** so when it tries to **add the headers** into the response the server will throw and error.\
 In the following scenario the **attacker made the server throw some big errors**, and as you can see in the screen when php tried to **modify the header information, it couldn't** (so for example the CSP header wasn't sent to the user):
 
