The OWASP HTTP Post Tool allows you to test your web applications to ensure its stability from HTTP GET and HTTP POST attacks. This tool was programmed by the author to over come the short comings of other HTTP attack tools such as Slowloris and PyLoris. In other words this QA tool was created to allow you to test your web applications to ensure its stability from HTTP GET and HTTP POST attacks. According to the author, these tools are easier to detect and the following are the defects of the HTTP GET DDOS attack:
Now, back to the reasoning – A HTTP POST request includes a message body in addition to a URL used to specify information for the action being performed. This body can use any encoding, but when web pages send POST requests from an HTML form element the Internet media type is "application/x-www-formurlencoded". The "Content-Length" field in the HTTP Header tells the web server how large the message body is, for e.g., "Content-Length = 1000". The HTTP Header portion is complete and sent in full to the web server, hence bypassing IIS inherent protection.
For e.g., Content-Length = 1000 (bytes). The HTTP message body is properly URLencoded, but, it is sent at,1 byte per 110
seconds (for example). Multiply such connections by 20,000 and your IIS web server will be DDOSed! Most shockingly, web servers can accept up to 2GB worth of content in a single HTTP POST request!
Web servers will accept the "Content-Length" field to wait for the remaining message body to be sent. Waiting for the complete message body to be sent, web servers can support users with slow or intermittent connections. Hence, any website which has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks!
Such HTTP POST requests are used commonly on site that allow login, uploading photo/video, sending e-mail/attachments, submitting feedback and etc. Further, firewalls do not block Port 80 connections!
So you see, this open source tool could be an important tool in your PT arsenal.
Download the OWASP HTTP Post Tool v3 (HttpDosTool3.zip) here.
- Does not work on IIS web servers or web servers with timeout limits for HTTP headers.
- Easily defensible using popular load balancers, such as F5 and Cisco, reverse proxies and certain Apache modules, such as mod_antiloris.
- Anti-DDOS systems may use delayed binding or TCP Splicing to defend against HTTP GET attacks.
Now, back to the reasoning – A HTTP POST request includes a message body in addition to a URL used to specify information for the action being performed. This body can use any encoding, but when web pages send POST requests from an HTML form element the Internet media type is "application/x-www-formurlencoded". The "Content-Length" field in the HTTP Header tells the web server how large the message body is, for e.g., "Content-Length = 1000". The HTTP Header portion is complete and sent in full to the web server, hence bypassing IIS inherent protection.
For e.g., Content-Length = 1000 (bytes). The HTTP message body is properly URLencoded, but, it is sent at,1 byte per 110
seconds (for example). Multiply such connections by 20,000 and your IIS web server will be DDOSed! Most shockingly, web servers can accept up to 2GB worth of content in a single HTTP POST request!
Web servers will accept the "Content-Length" field to wait for the remaining message body to be sent. Waiting for the complete message body to be sent, web servers can support users with slow or intermittent connections. Hence, any website which has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks!
Such HTTP POST requests are used commonly on site that allow login, uploading photo/video, sending e-mail/attachments, submitting feedback and etc. Further, firewalls do not block Port 80 connections!
So you see, this open source tool could be an important tool in your PT arsenal.
Download the OWASP HTTP Post Tool v3 (HttpDosTool3.zip) here.
