Categories: vuln, safe
Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
Slowloris was described at Defcon 17 by RSnake (see http://ha.ckers.org/slowloris/).
This script opens two connections to the server, each without the final CRLF. After 10 seconds, second connection sends additional header. Both connections then wait for server timeout. If second connection gets a timeout 10 or more seconds after the first one, we can conclude that sending additional header prolonged its timeout and that the server is vulnerable to slowloris DoS attack.
A "LIKELY VULNERABLE" result means a server is subject to timeout-extension attack, but depending on the http server's architecture and resource limits, a full denial-of-service is not always possible. Complete testing requires triggering the actual DoS condition and measuring server responsiveness.
You can specify custom http User-agent field with
Idea from Qualys blogpost:
slaxml.debugSee the documentation for the slaxml library.
http.max-cache-size, http.max-pipeline, http.pipeline, http.useragentSee the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
vulns.short, vulns.showallSee the documentation for the vulns library.
nmap --script http-slowloris-check <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
License: Same as Nmap--See https://nmap.org/book/man-legal.html