Slow Body Problem

[GaryDeng777]

Hi, When I tried to launch slow body attack and used wireshark to capture data package, I just found protocol in HTTP request is GET, not POST, is there any problem??

[shekyan]

Can you please paste the arguments you use for the test?

[GaryDeng777]

Thanks for your reply...I'm very worried about this problem because I used it in my final project design.So can you please help me fix this problem??

The command I used is as followed: ./slowhttptest -c 1000 -B -i 100 -r 200 -s 8192 -t POST -u http://192.168.9.106/index.html -x 10 -p 3

[shekyan]

You see GET verb in probe connections (and it is legitimate complete request with final CRLF), which tries to request the page to see if it is still available. Enable logging on your web server to see the details.

[GaryDeng777]

I opened access_log for apache and found this : 192.168.9.100 - - [26/Sep/2017:11:14:57 +0800] "POST / HTTP/1.1" 400 226 192.168.9.100 - - [26/Sep/2017:11:14:59 +0800] "POST / HTTP/1.1" 400 226 192.168.9.100 - - [26/Sep/2017:11:15:00 +0800] "POST / HTTP/1.1" 400 226 192.168.9.100 - - [26/Sep/2017:11:14:58 +0800] "POST / HTTP/1.1" 400 226 192.168.9.100 - - [26/Sep/2017:11:14:57 +0800] "POST / HTTP/1.1" 400 226 192.168.9.100 - - [26/Sep/2017:11:14:57 +0800] "POST / HTTP/1.1" 400 226

I remembered 400 means Bad Request...Is there a problem?

[shekyan]

You need to setup your server to handle post requests at /index.html . Slow POST is generally effective when server expects an upload of something big, or at least a form submission.

[GaryDeng777]

Thanks for reply. I put two files in my apache web server: hello.html and server.php. The code for hello.html is: `

    <form name="form1" method="post" action="server.php">

    name: <input type="text" name="name"><br>
    password: <input type="password" name="psw"><br>
    <input type="submit">
    </form>

`

The code for server.php is: `<?php

header("Content-Type: text/html; charset=UTF-8");

if (isset($_POST["name"]))
{
echo "username：" . $_POST["name"] . "
";
}

if (isset($_POST["psw"]))
{
echo "password：" . $_POST["psw"] . "
";
}

?> `

It works well on my web server and I can access the web page via my kali attacker virtual machine. And if I input data and submit the page, I can also capture post packets by wireshark. But it still gives 400 Bad Request when I launched slow body attack..

[shekyan]

You should point slowhttptest to your POST accepting endpoint, e.g. https://whatever/server.php

[ama21n]

I'm seeing the same issue, but only (mostly) when using the proxy option. When using a proxy, the tool continues to send GET requests while being run, and sends a POST request only when exited using ctrl-c. This is where the major issue lies. The command I am using is: slowhttptest -B -t POST -c 1 -u http://127.0.0.1:8888 -d 127.0.0.1:8080

When not using the proxy, it 'almost' works as expected with one GET request being sent before the POST request, ie: slowhttptest -B -t POST -c 1 -u http://127.0.0.1:8888

I also noticed the tool works fine with/without proxy settings with arbitrary methods, but still sends a single GET request before the arbitrary method, ie: slowhttptest -B -t BLAH -c 1 -u http://127.0.0.1:8888 -d 127.0.0.1:8080

It's easy to reproduce, I setup a local webserver with 'python -m SimpleHTTPServer 8888', so the proxy traffic (Burp) or wireshark files are not needed. I've also tried both with "-t POST" and without, which has no bearing given the '-B' parameter.

I'm using the latest v1.7 on High Sierra (macOS)

[jackcily]

i have the same problem, i can't capture POST package with wireshark ,and i have tried with hello.html and server.php,but it doesn't work .

the command i used as followed: slowhttptest -c 500 -B -g -o my_body_stats -i 10 -r 200 -s 8192 -t POST -u http://169.254.227.183/server.php -x 10 -p 3

i think i have pointed slowhttptest to my POST accepting endpoint by -u http://169.254.227.183/server.php

and when i checked /var/log/access.log,i can see the POST package.

69.254.227.182 - - [27/Dec/2018:06:52:43 -0500] "POST / HTTP/1.1" 408 488 "https://github.com/shekyan/slowhttptest/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:5.0.1) msnbot-131-253-46-102.search.msn.com"
::1 - - [27/Dec/2018:06:52:54 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.34 (Debian) (internal dummy connection)"

And the POST attack does work, except i can't capture POST package .

and i don't know why?

[joknoxy]

I was puzzled too however worked it out.

Wireshark decodes RFC-compliant HTTP requests as Protocol:HTTP and shows the HTTP request (or response) line 1 in the 'Info' column in Packet List, however as the POST requests were not complete, Wireshark does not show them as http but instead as Protocol:TCP ([PSH, ACK]). If you click on such a packet you will see the POST in the TCP payload.

To find these packets easily use Ctrl-F, change 'Display Filter' to 'String' and 'Packet List' to 'Packet Bytes' then enter POST in the text box then select 'Find'.