AnsweredAssumed Answered

Slow HTTP POST vulnerability

Question asked by Gude Hideki on Jan 29, 2013
Latest reply on Dec 21, 2015 by fmc

Hi,

 

Recently I received a scan report from Qualys detecting vulnerability from Slow Http Post.

My website is hosted on Azure on Websites Plataform which runs wordpress on IIS7.

Even the fact that my website is hosted on a dedicated server, I don't have access to IIS.

The only server side configuration is limited to web.config.

 

I am only allowed to make changes in this first item from Qualys:

 

  • Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
  • Set <headerLimits> to configure the type and size of header your web server will accept.
  • Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the <limits> and <WebLimits> elements to minimize the impact of slow HTTP attacks.

 

Talked to Azure support team and they told me that they have some configuration in WAWS to mitigate such things, but we don’t provide any implementation details for security reasons.

 

Is there any other way to mitigate this vulnerability?

Another doubt is the type tested on Qualys scanner from Slow Http Post: slow down in headers section or in message body, range test or slow read test.

Outcomes