Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Now slowloris works with untrusted/invalid certificate. #55

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

C3l1n
Copy link

@C3l1n C3l1n commented Apr 30, 2021

If remote server use invalid certificate or unsigned by trusted CA slowloris fails silently and create zero socets. Now it's fixed.

@gkbrk
Copy link
Owner

gkbrk commented May 8, 2021

The PR contains a lot of unrelated changes, I cannot merge it in this state.

As an aside, I thought by default Python didn't check certificates. Maybe it only ignores for certificate chain errors and still checks if the hostnames match. I'll have to investigate this.

…th small request header/body timeout but big keep-alive
@C3l1n
Copy link
Author

C3l1n commented May 8, 2021

Hi gkbrk,

Accidentally I created PR for master in my fork instead of for specific commit. After that I added other changes. Now i refactor code on master. If you want to make slowloris better tool you have two option:

  1. Use current master of my repo- it will fix slowloris with servers using untrusted certificate and add two features. First is ability to use client certificate (for servers that force mutual TLS client connection) - options --cert, --key and --password. Second is for specific sitiuation when attacked server has request waiting for body/header timeout set to low value i.e. in nginx you can set timeout for waiting for header or body of request and slowloris wont work without my fix but there is still possible way to attack such server when keep-alive is set to big value. But slowloris has to make full request in open connection. It is added by option --makerequest.
  2. Just add fix for untrusted server certificate - merge with commit C3l1n@f27c838 from my repo :).

If you want I can make other PR or sth.

ps. great tool

Best regards.

@RaduNico
Copy link

Would really love to see f27c838 merged. There is little use for certificate checking, plus the tool fails silently to make any connections to the webserver.

@gkbrk
Copy link
Owner

gkbrk commented Oct 1, 2022

Merged the untrusted/invalid cert commit. I will push a release to PyPI and investigate the other commits later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants