Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve Slow HTTP POST vulnerability #191

Closed
prototypo opened this issue Nov 19, 2014 · 2 comments
Closed

Resolve Slow HTTP POST vulnerability #191

prototypo opened this issue Nov 19, 2014 · 2 comments
Assignees
@catch-point
Milestone
v1.4.1

Comments

@prototypo
Copy link

Current versions of Callimachus have been determined to be susceptible to the "Slow HTTP POST vulnerability":
https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications

Adjust the timeouts on our connections to avoid this vulnerability.
@prototypo prototypo added this to the v1.5.0 milestone Nov 19, 2014
@catch-point
Copy link
Contributor

This is applicable to anonymous POST requests.

@prototypo prototypo modified the milestones: v1.4.1, v1.5.0 Jan 21, 2015
@catch-point
Copy link
Contributor

If the request body buffer is empty (after the grace period of 10s) the TCP connection is closed. The grace period is reset whenever the request body buffer is reduced from full capacity.

This should allow the server to take its time reading the request body, but not permit the client to force it to doing so.

@catch-point catch-point mentioned this issue Feb 10, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@catch-point catch-point

Labels
None yet
Projects
None yet
Milestone
v1.4.1
Development

No branches or pull requests
2 participants
@prototypo @catch-point