Permalink
Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
14 lines (10 sloc) 998 Bytes

This is a small script to test your java app for resilliance against HashDos

What is hashdos

See http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
It's an attack abusing the fact that it's easy to find java strings that have the same hashcode, and thus flood the parsing of an HTTP POST request with loads of paramaters having the same hash. Because java apps often build a hashtable/hashmap of parameters on the server side, and a hashtable/hashmaps often resorts to a linked list for values having the same hash, the performance takes a hit for these kinds of requests.

How do I use it?

  1. ruby HashDosTester.rb http://the.url.of.my.site/ number_of_parameters
  2. Start with a small number (100) and increase to 500, 1000, 2000, 5000.
  3. Check if the time difference between the bening and attack request is suddenly deviating (by several thousand percent). If the attack is much slower than the bening your application is most likely vulnerable.