414 URI too long

Digital Analysts using only client side data collection on websites are missing out on server performance issues as such data is found elsewhere. 414 errors are typically out of sight and might not impact security, yet can signal a rise or presence of potential issues.

414 errors in web server log file

There are not many conditions that will cause this error to be triggered, and the most common issue that occurs on servers investigated is:

* the server is under attack by a client attempting to exploit potential security holes

When mining for data in web server logs one occasionally finds 414 errors, i.e. requests that are just too long indicating that the URI requested by the client is longer than the server is willing to interpret. Despite looking like complete gibberish it does provide insight in attack patterns.

Long URI requests with multiple encoded %Normally attacks of this kind seem to be running in clueless revisit loops, perhaps whoever wrote the loop believes in the resurrection of cgi-bin or that a sloppy default installation will magically come into existence. As many such attack calls appear to emerge from China a bit of tuning on the Great Firewall of China in order to prevent such cruft running behind causing errors would make a far better use of it.

Decode URL

While such lines are hard to read transforming them into readable test doesn't require much effort.

Decode the funky URI for improved readabilityJust search on your favorite search engine for "decode URI" for a list of multiple online tools available for decoding. Copy and paste the URI with all of the percentage values into the box and decode, the decoded text evidently makes the reason of the error obvious.

Applying an appropriate rule in the firewall in front of the web server will reduce the need for the web server to handle such requests, one could argue that CGI today is essentially a dead technology but why if not used would such requests be allowed to hit a server at all. As a precaution, if cgi-bin requests are getting 200 code resoonses from a server and cgi-bin isn't in use... well that is an issue to take care of.

External links:

GreatFire.org brings transparency to the Great Firewall of China
414 URI Too Long
List of URL decode resources