Proxy ? based powerful attack on http-server caught in wild. Can force out of memory #757
Comments
rook2pawn
changed the title
|
After the first
I don't think it's up to the server to determine what is a legitimate query string, beyond the basics, but it does seem basic to guard against too much memory being used. Is there a stack trace or any kind of error during the crash? Or is it not actually crashing? |
|
Yes, it was actually crashing on my Digital ocean box. I've since created this repository in an attempt to recreate it however my memory is much higher on my machine. https://github.com/rook2pawn/show-http-attack I will attempt to grab the log on the crash by running my service using the current published version. Stay tuned ill post the update here. |
|
I've updated the repo and was able to repro the error but did not get it to crash but it definitely starts to go into an uncontrolled loop. const http = require("http");
const genPath = (numRepeat) => {
return "/?".repeat(numRepeat);
};
const options = {
host: "127.0.0.1",
port: 8080,
path: genPath(140).concat("/api"),
method: "POST",
};
// Make a request
const req = http.request(options, (res) => {
res.setEncoding("utf8");
res.on("data", (chunk) => {
console.log(`BODY: ${chunk}`);
});
res.on("end", () => {
console.log("No more data in response.");
});
});
req.end();POST is required. GET will work fine, and POST will make it go out of control. (Want to add that curl disallowed such a long request so you need to build the attack like here) |
|
+1 for this. noticed this on my local environment today with a POST request to a non-valid URL. Currently using http-server in a live environment but this is a huge vulnerability. |
|
I think @thornjad has a point when saying it's not up to the server to determine what is a legitimate query string |
|
Thanks to everyone working on this issue :) I was running into the same problem, when using the
In my opinion it is a major bug, preventing Working solution for me is serving the SPA via 404.html as described in the README.md:
However, this impacts the returned HTTP status code to be 404 instead of 200. I see 3 different solutions for the bug to be resolved:
When help is wanted to implement 1. or 2., let me know… |
|
I think it would be helpful if anyone with context can help explain what is the proxy option, how it is implemented, and the relationship with |
Using |
Allows serving of SPAs * with correct status code 200 * without using the defekt `Catch-all redirect` fixes issue http-party#757
|
I really need this fix, so until my pull request or something similar is available at upstream, I published a package of the fork: For those, using the nix package manager, there is also a branch, providing a reproducible build via a flake.nix: |
|
This issue has been inactive for 180 days |
|
Hi There, Just to confirm that that issue is still an issue. I've noticed that it only seems to be post requests when a --proxy argument is passed to http-server. Furthermore, If you pass --proxy http://www.google.com then http-server doesn't present the bug. |
|
yeah... also seem I can't get |
I run http-server primarily for SPA with proxy redirect. I prefer to just use http-server directly without an NGINX or some other firewall for my projects.
Environment Versions
Steps to reproduce
http-server ./web -o -c-1 -p 8080 --proxy http://localhost:8080?"Suggestion
url.slice(0,4) === '/?/?'The more advanced way to handle this is to not use regex (intensive) but an indexOf analysis so we can parse legitamate query variables vs an actual attack.Request thoughts and interest in handling this attack? I can propose an precise curl command and repository to demonstrate. Let me know.
Have an immediate fix i implemented here before we even touch parse.
rook2pawn@6645278
The text was updated successfully, but these errors were encountered: