But if you're able to find a server which does not implement protections against slow loris attacks, it is a big problem for them. Now, of course this works flawlessly on a local development server. This is because there are way too many open connections and PHP cannot handle any more open connections (due to memory/hardware limits). Now, I'll start a simple PHP development server on my machine:Īnd I use a simple Node script to perform what we discussed above on my local server:Īfter some time, you'll see that our PHP server actually crashes! This means, I could keep on sending additional data to the server in the form of headers.
Use this content for educational purposes only. And at the same time, it never ends that connection and opens multiple such connections to exhaust the connection pool of the server.ĭisclaimer - Penetration testing any online/offline service not owned by you without prior written permission is illegal and I'm not responsible for any damage caused. In other words, I can initiate an HTTP request to the server and keep sending data to the server very slowly in order to keep that connection alive. Slow Loris AttackĪ Slow Loris attack exploits the fact that I could make an HTTP request very very slowly. Thus, HTTP is a plaintext protocol consisting of the request information sent by the client and the response as shown above. The important header to include in HTTP/1.1 spec is the Host header.Īnd the response we got: HTTP/1.1 301 Moved Permanently Ignore the extra X-header-* headers, they're just random headers you can send with your request. See the following example on how we connect to HTTP port 80 for using netcat: We can use nc (netcat) utility to open a raw TCP socket to any website running on HTTP (usually port 80). HTTP (Layer 7) is built on the top of TCP protocol (Layer 4). Here's a TL DR video if you're a video person. Now, HTTP is the way you were able to communicate this information to your mom, more like the language you used for communication. It's basically like you saying to your mom, "Hey mom, I need to eat the item in the fridge present at shelf 2, could you give it to me?"Īnd your mom says, "Sure, here you go", and sends you that item. Your device, when you use a browser, uses this particular protocol to send requests to remote servers to request data from them. HTTP, HyperText Transfer Protocol, is the protocol used by the web for communication. We'll also look at a simple attack which exploits the way the HTTP protocol works.
Forget the post for a minute, let's begin with what this title is about! This is a web security-based article which will get into the basics about how HTTP works.
0 kommentar(er)
