pwneglyph logo

Note

web php csp-bypass max-input-vars php-warnings headers

Trigger early PHP warnings with massive parameter sets to disturb header emission order and suppress or corrupt CSP.

CSP Removal / Breakage via max_input_vars and PHP Warnings

Once PHP emits warnings early enough, header emission order and output buffering can change. That can suppress or corrupt CSP and other security headers.

Why It Works

  • Crossing max_input_vars triggers warnings during parameter parsing; with display_errors = On and late header-setting, the security headers can be lost or mangled.

Vulnerable Pattern

  • Massive parameter parsing, display_errors = On, low max_input_vars, and security headers set late in the response lifecycle.

Exploit Flow

  1. Send increasingly large param sets and diff the full response headers, not just the body.
  2. Correlate warning presence, buffering changes, and missing CSP with the exact threshold.

Variations

  • Nested arrays, duplicated keys, long names, or invalid parameter shapes to trigger parsing warnings sooner.

Common Blockers

  • Output buffering absorbs the warning, headers are set before parsing issues appear, or the real root cause is another parser bug.

PoC Sketch

/?a[0]=1&a[1]=1&...&a[1500]=1
# compare whether CSP or other response headers disappear once PHP warnings fire

Good Situations To Use It

  • CSP blocks your XSS and max_input_vars is low.
  • display_errors is on and headers are set late.
  • You need to drop CSP rather than bypass it cleverly.

Sources

  • fcsc2026/web/shrimp_saver