POC DoS Slow HTTP POST tool using JS

84 views

Skip to first unread message

Hanzo Shinobi

unread,

Jan 12, 2012, 3:32:10 PM1/12/12

to securit...@googlegroups.com

Hi!

I'm a student doing a research with ModSecurity. I'm coming up with some rules to prevent * HTTP POST DoS attack on the Apache server by using JavaScript cookies. ModSecurity injects the JavaScript code on any webpage then ModSecurity is then configured to drop requests without these cookies. My main assumption is that most bots especially those that use the slow HTTP DoS POST attack don't use browsers and thus don't use JavaScript.

Can anyone here give me some insights as to how effective/not effective that prevention is? Can someone also use JavaScript to create a Slow HTTP POST attack tool that triggers or steals that cookie and proceed with the attack?

There are already other mitigating techniques in place. But I'm trying to put in another layer of prevention using the open source Apache module called ModSecurity and use its content injection capability to detect if client requests are coming from legitimate clients like browsers and not tools often used for DoS attacks. I assumed that most legitimate web clients would have the complete browser technology stack would have JavaScript. I tested this against slowhttptest from Qualys found here -

https://community.qualys.com/blogs/securitylabs/2011/08/25/new-open-source-tool-for-slow-http-attack-vulnerabilities

and the OWASP Slow POST Tool here -

https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool.

Articles on slow post DoS attacks can be found

here -http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/228000532/researchers-to-demonstrate-new-attack-that-exploits-http.html.

and here http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html.

As far as my mitigation is concerned, it’s huge weakness is when a tool can read JS cookies, grab them, and use them for DoS. As far as I know, other tools can’t grab JS cookies since they run at the client-side. Unless a tool can parse JS first, then look for document.cookie.

I need some inputs on the possibility of a proof-of-concept tool that can do a Slow HTTP request DoS using JS, or can grab JS cookies, then use them to commit Slow HTTP DoS attacks.

I found a JS HTTP POST flooder here - http://www.devarticles.com/c/a/JavaScript/Programmatic-POST-Requests-with-JavaScript-Form-Emulator-in-Action/4/

But I'm not sure if JS can slow down the requests. I also haven’t found any slow http DoS tools run by a browser.

Your inputs will be appreciated.

Thanks!

Reply all

Reply to author

Forward

0 new messages