mOses, On Fri, Jun 26, 2009 at 9:36 PM, mOses<[email protected]> wrote: > > On Jun 26, 2009, at 7:51 PM, Jeremy Richards wrote: > >> Hello, >> >> I think that it should be possible to write some form of signature to >> detect this without actually performing a DoS. First , it should be >> mentions that the check would not determine the specific vulnerable >> application but the underlying architecture issue. >> >> To summarize the attack (please correct me if I'm wrong!): >> Create a sufficiently large number of open HTTP connections to saturate >> the connection pool. This results in the DoS condition (until connections >> time out). This is not a TCP/IP layer attack but an application layer >> attack. >> >> If one was able to open (and keep open) a safe number of connections for a >> specified threshold, one may be able to determine the existence of the flaw. >> This would require additional testing and research of course. >> > > This is rather interesting possibility, the only question I have is, how can > you tell that your session is still 'active' if you are not communicating > with it at all?
POST /index.php HTTP/1.1 Content-Length: 20 0987654321<wait 40 seconds>0987654321 If you get an answer, then the connection was kept alive for at least 40 seconds, right? Cheers, >> Jeremy >> >> >> >> On Fri, Jun 26, 2009 at 5:54 PM, Andres Riancho <[email protected]> >> wrote: >> Carlos, >> >> On Fri, Jun 26, 2009 at 6:17 PM, Carlos perez<[email protected]> >> wrote: >> > Slowloris is part of the architecture of apache not a bug so the only >> > way to >> > check if an admin took preventive measures for his specific environent >> > would >> > be to check the apache.conf file >> >> But if the admin took preventive measures, can't I test it using black >> box? >> >> > Sent from my iPhone >> > >> > On Jun 26, 2009, at 3:25 PM, Andres Riancho <[email protected]> >> > wrote: >> > >> >> List, >> >> >> >> Does anyone know if it's possible to test for the ""slowris >> >> vulnerability"" [0] without DoS'ing the web server? I was thinking >> >> that if that was possible, we could add it to w3af. Someone already >> >> did something in python [1], so it shouldn't be hard to add it to >> >> w3af. >> >> >> >> [0] http://ha.ckers.org/slowloris/ >> >> [1] >> >> http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/ >> >> >> >> Cheers, >> >> -- >> >> Andrés Riancho >> >> Founder, Bonsai - Information Security >> >> http://www.bonsai-sec.com/ >> >> http://w3af.sf.net/ >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> W3af-users mailing list >> >> [email protected] >> >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> > >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
