AnsweredAssumed Answered

AWS WAF and QID &150085 (Slow HTTP POST vulnerability)

Question asked by Thomas Moretto on Apr 6, 2017
Latest reply on Apr 10, 2017 by Thomas Moretto

Hi.

I have an AWS ec2 web application running apache, that sits behind an application elastic load balancer, which is protected by a WAF (web application firewall).

 

My customer has performed a WAS against his web application URL (which goes through the WAF to the elb to the web server) and the scan results report that slow http post is a 'possible vulnerability'.  I added the following to the apache configuration with mod_reqtimeout, and the scan results still show that slow http post as a possible vulnerability:

 

LoadModule reqtimeout_module modules/mod_reqtimeout.so

RequestReadTimeout header=10-20,MinRate=500

 

I also tried:

RequestReadTimeout header=10-20,MinRate=500 body=20,MinRate=500

 

Both configurations have the same result... slow http attack is a possible vulnerability.

 

In addition, I have performed a slowhttptest against the web application and the service never goes down and the connections do close.  My slowhttptest parameters I used were:

 

slowhttptest -c 5000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t POST -u https://mywebapp.net -x 10 -p 3

 

I did some header tests too and the results were the same, the service never goes down and connections do close.

 

 

Can someone please advise on what else I can do to fix these 'possible' vulnerabilities?  

Outcomes