AnsweredAssumed Answered

150085 Slow HTTP POST vulnerability Revisit and Help

Question asked by Fabian Raygosa on Jul 9, 2014
Latest reply on Jul 10, 2014 by fmc

Hi, a recent qualys scan made on our servers brought out a "150085 Slow HTTP POST vulnerability"

With a response of:

Vulnerable to slow HTTP POST attack

Connection with partial POST body remained open for: 144142 milliseconds

Server resets timeout after accepting request data from peer.


I interpret to mean that a LONG POST was done on the servers  longer than 140 seconds.

Qualys then give a link to the slowhttptest tool. I have the tol running in cygwin on my windows 7 machine trying to manipulate the behavior on my localhost first.

First issues is I am having trouble crafting the correct command for slowhttptest.

I have tried this:

./slowhttptest -c 50 -g -o stats -i 10 -r 50 -t POST -u http://localhost/ColorTest/default.aspx -x 32

./slowhttptest -c 50 -g -o stats -i 10 -r 50 -t POST -u http://localhost/ -x 32

However, every time my graphic does not seem helpful [image 1]


I have went to iis to alter the iis setting for webLimits connection timeout to 45 seconds [image 2]. However running the report yields the EXACT same result. I should be seeing different activity at 45 seconds right? But I dont. My chart data on several permutations always stops/starts at the beginning or end of the chart and always at 130 seconds. It never even goes to the 240 default seconds.


I would like some direction and help for:

1. Am I crafting the correct slowhttptest for the given Qualys issue detected?

2.Am I on the right track with the connectionTimeout setting? On my production servers I have it set to 2 minutes, 120 seconds. So it frustrates me very much to see a 140 second  POST body. It should never have gotten there.