Slow HTTP POST vulnerability

Question

Slow HTTP POST vulnerability

Martin Kruger 1

We have performed a scan with Qualys on our sites hosted an Azure app service. The scan comes back with Slow HTTP POST vulnerability every time the scan runs. We have tried all the recommendations of applying XDT Transform on the applicationHost.config file in the limits and webLimits elements. We have played with all the attributes in RequestLimits, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes, but the scan still comes back with the vulnerability. Any help in resolving this problem would be greatly appreciated.

Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2021-02-19T05:46:26.58+00:00

Hi @Martin Kruger ,

You issue sounds familiar to https://social.msdn.microsoft.com/Forums/en-US/1e048000-7877-40a8-a9c6-8143e7a9d15e/azure-web-app-vulnerable-to-http-slow-post-attack?forum=windowsazurewebsitespreview. I'm assuming you've already been through all the links listed there. Can you provide what Qualys says is the cause of HTTP POST vulnerability?

Regards,
Ryan
Martin Kruger 1 Reputation point

2021-02-19T08:24:22.477+00:00

Hi @Ryan Hill ,

Thank you very much for your response.

I am aware of the link that you provided and it did not seem to solve the problem I have.

The feedback from Qualys is the following:

Vulnerable to slow HTTP POST attack
Connection with partial POST body remained open for: 132703 milliseconds

Regards,
Martin

1 answer

Your answer

Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2021-02-19T05:46:26.58+00:00

Hi @Martin Kruger ,

You issue sounds familiar to https://social.msdn.microsoft.com/Forums/en-US/1e048000-7877-40a8-a9c6-8143e7a9d15e/azure-web-app-vulnerable-to-http-slow-post-attack?forum=windowsazurewebsitespreview. I'm assuming you've already been through all the links listed there. Can you provide what Qualys says is the cause of HTTP POST vulnerability?

Regards,
Ryan
Martin Kruger 1 Reputation point

2021-02-19T08:24:22.477+00:00

Hi @Ryan Hill ,

Thank you very much for your response.

I am aware of the link that you provided and it did not seem to solve the problem I have.

The feedback from Qualys is the following:

Vulnerable to slow HTTP POST attack
Connection with partial POST body remained open for: 132703 milliseconds

Regards,
Martin

Answer 1

Hi @Martin Kruger ,

I'm assuming you used https://blog.qualys.com/vulnerabilities-research/2011/11/02/how-to-protect-against-slow-http-attacks to determine which settings you can/should adjust and still encountering the error. I would advise isolating the request and identifying the client that's causing these slow requests. https://blog.qualys.com/vulnerabilities-research/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications list out some suggestions on how to identify slow requests if you haven't seen it already. I also suggestion enabling Application Insights to gain more visibility in the contents and performance of requests that are slower than others. If you already done these steps, the please reply to comment down below.

Regards,
Ryan

Share via

Slow HTTP POST vulnerability

1 answer

Your answer