Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Slow Body Problem #49

Open
GaryDeng777 opened this issue Sep 25, 2017 · 10 comments
Open

Slow Body Problem #49

GaryDeng777 opened this issue Sep 25, 2017 · 10 comments

Comments

@GaryDeng777
Copy link

Hi,
When I tried to launch slow body attack and used wireshark to capture data package, I just found protocol in HTTP request is GET, not POST, is there any problem??

@shekyan
Copy link
Owner

shekyan commented Sep 25, 2017

Can you please paste the arguments you use for the test?

@GaryDeng777
Copy link
Author

Thanks for your reply...I'm very worried about this problem because I used it in my final project design.So can you please help me fix this problem??

The command I used is as followed:
./slowhttptest -c 1000 -B -i 100 -r 200 -s 8192 -t POST -u http://192.168.9.106/index.html -x 10 -p 3

@shekyan
Copy link
Owner

shekyan commented Sep 26, 2017

You see GET verb in probe connections (and it is legitimate complete request with final CRLF), which tries to request the page to see if it is still available.
Enable logging on your web server to see the details.

@GaryDeng777
Copy link
Author

I opened access_log for apache and found this :
192.168.9.100 - - [26/Sep/2017:11:14:57 +0800] "POST / HTTP/1.1" 400 226
192.168.9.100 - - [26/Sep/2017:11:14:59 +0800] "POST / HTTP/1.1" 400 226
192.168.9.100 - - [26/Sep/2017:11:15:00 +0800] "POST / HTTP/1.1" 400 226
192.168.9.100 - - [26/Sep/2017:11:14:58 +0800] "POST / HTTP/1.1" 400 226
192.168.9.100 - - [26/Sep/2017:11:14:57 +0800] "POST / HTTP/1.1" 400 226
192.168.9.100 - - [26/Sep/2017:11:14:57 +0800] "POST / HTTP/1.1" 400 226

I remembered 400 means Bad Request...Is there a problem?

@shekyan
Copy link
Owner

shekyan commented Sep 26, 2017

You need to setup your server to handle post requests at /index.html . Slow POST is generally effective when server expects an upload of something big, or at least a form submission.

@GaryDeng777
Copy link
Author

Thanks for reply.
I put two files in my apache web server: hello.html and server.php.
The code for hello.html is:
`

    <form name="form1" method="post" action="server.php">

    name: <input type="text" name="name"><br>
    password: <input type="password" name="psw"><br>
    <input type="submit">
    </form>
`

The code for server.php is:
`<?php

header("Content-Type: text/html; charset=UTF-8");

if (isset($_POST["name"]))
{
echo "username:" . $_POST["name"] . "
";
}

if (isset($_POST["psw"]))
{
echo "password:" . $_POST["psw"] . "
";
}

?> `

It works well on my web server and I can access the web page via my kali attacker virtual machine.
And if I input data and submit the page, I can also capture post packets by wireshark.
But it still gives 400 Bad Request when I launched slow body attack..

@shekyan
Copy link
Owner

shekyan commented Sep 26, 2017

You should point slowhttptest to your POST accepting endpoint, e.g. https://whatever/server.php

@ama21n
Copy link

ama21n commented Jun 15, 2018

I'm seeing the same issue, but only (mostly) when using the proxy option.
When using a proxy, the tool continues to send GET requests while being run, and sends a POST request only when exited using ctrl-c. This is where the major issue lies.
The command I am using is:
slowhttptest -B -t POST -c 1 -u http://127.0.0.1:8888 -d 127.0.0.1:8080

When not using the proxy, it 'almost' works as expected with one GET request being sent before the POST request, ie:
slowhttptest -B -t POST -c 1 -u http://127.0.0.1:8888

I also noticed the tool works fine with/without proxy settings with arbitrary methods, but still sends a single GET request before the arbitrary method, ie:
slowhttptest -B -t BLAH -c 1 -u http://127.0.0.1:8888 -d 127.0.0.1:8080

It's easy to reproduce, I setup a local webserver with 'python -m SimpleHTTPServer 8888', so the proxy traffic (Burp) or wireshark files are not needed. I've also tried both with "-t POST" and without, which has no bearing given the '-B' parameter.

I'm using the latest v1.7 on High Sierra (macOS)

@jackcily
Copy link

jackcily commented Dec 27, 2018

i have the same problem, i can't capture POST package with wireshark ,and i have tried with hello.html and server.php,but it doesn't work .

the command i used as followed:
slowhttptest -c 500 -B -g -o my_body_stats -i 10 -r 200 -s 8192 -t POST -u http://169.254.227.183/server.php -x 10 -p 3

i think i have pointed slowhttptest to my POST accepting endpoint by -u http://169.254.227.183/server.php

and when i checked /var/log/access.log,i can see the POST package.

69.254.227.182 - - [27/Dec/2018:06:52:43 -0500] "POST / HTTP/1.1" 408 488 "https://github.com/shekyan/slowhttptest/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:5.0.1) msnbot-131-253-46-102.search.msn.com"
::1 - - [27/Dec/2018:06:52:54 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.34 (Debian) (internal dummy connection)"

And the POST attack does work, except i can't capture POST package .

and i don't know why?

@joknoxy
Copy link

joknoxy commented Nov 22, 2023

I was puzzled too however worked it out.

Wireshark decodes RFC-compliant HTTP requests as Protocol:HTTP and shows the HTTP request (or response) line 1 in the 'Info' column in Packet List, however as the POST requests were not complete, Wireshark does not show them as http but instead as Protocol:TCP ([PSH, ACK]). If you click on such a packet you will see the POST in the TCP payload.

To find these packets easily use Ctrl-F, change 'Display Filter' to 'String' and 'Packet List' to 'Packet Bytes' then enter POST in the text box then select 'Find'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants