The LimitRequestLine directive [17] in the Apache configuration file allows the web
server to reduce the size of an HTTP request . This includes all information passed in the
query as part of the GET request. The default value for this directive is 8190 bytes. If the
SQL Injection is discovered on the GET request and our query including the arbitrary code
8
is larger than this value, Apache web server would response with the HTTP Status Code
414 and the request would not be processed.
By default, the Apache web server sets the LimitRequestBody directive to 2GB [17]. This
is the allowed size of an HTTP request message body. If the SQL Injection is discovered in
a POST request, 2GB will give us enough room to upload our arbitrary code.
Web application firewalls also have the ability to terminate a long request. This long
request is normally detected as a buffer overflow attack.
