Resolve Slow HTTP POST vulnerability

3-Round-Stones / callimachus

Callimachus is a highly scalable platform for creating and running data-driven websites

Other

95 stars 24 forks source link

Resolve Slow HTTP POST vulnerability #191

Closed prototypo closed 9 years ago

prototypo commented 9 years ago

Current versions of Callimachus have been determined to be susceptible to the "Slow HTTP POST vulnerability": https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications

Adjust the timeouts on our connections to avoid this vulnerability.

catch-point commented 9 years ago

This is applicable to anonymous POST requests.

catch-point commented 9 years ago

If the request body buffer is empty (after the grace period of 10s) the TCP connection is closed. The grace period is reset whenever the request body buffer is reduced from full capacity.

This should allow the server to take its time reading the request body, but not permit the client to force it to doing so.