SlowHTTPTest is a highly configurable tool that simulates some
Application Layer Denial of Service attacks.
It implements most common low-bandwidth Application Layer DoS attacks,
such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist
timer exploit) by draining concurrent connections pool, as well as Apache
Range Header attack by causing very significant memory and CPU usage on the
server.
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP
protocol, by design, requires requests to be completely received by the
server before they are processed. If an HTTP request is not complete, or if
the transfer rate is very low, the server keeps its resources busy waiting
for the rest of the data. If the server keeps too many resources busy, this
creates a denial of service. This tool is sending partial HTTP requests,
trying to get denial of service from target HTTP server.
Slow Read DoS attack aims the same resources as slowloris and slow POST,
but instead of prolonging the request, it sends legitimate HTTP request and
reads the response slowly.
- Buffer overflow when pasting too long text from clipboard to dialog
boxes (not remotely exploitable)
- A write out of allocated memory in the graphics renderer
(potentially exploitable)
- An infinite loop when parsing invalid usemap specification in text and
graphics mode (can cause browser lockup, but not otherwise exploitable)
- Accesses out of memory in the xbm decoder (potentially exploitable)
Also drop dip.c patch to resolve crashes with libpng 1.5, upstream
appears to have fixed this separately in the update to 2.5.
Thanks jasper@ for additional testing.
Using Catalyst::Plugin::FormValidator is not recommended as the module
takes over the global $c->form method, rather than being applicable in
only part of your Catalyst application. Furthermore,
Data::FormValidator itself is not recommended for use.
from Andreas Voegele
Catalyst::Plugin::Cache::Store::FastMmap is deprecated because
Cache::FastMmap no longer needs to be wrapped to store plain values.
from Andreas Voegele
Fixes Catalyst with Moose 1.24+, this has been broken in the tree for a
while.
This and the many related updates to follow are all from Andreas Voegele's
repo at https://github.com/voegelas/openbsd-mystuff, thanks Andreas, this must
have been a huge bunch of work. I have forked this at github/sthen/p5-ports-wip
and am removing things from there once committed, there are various additional
new perl ports there and it would be nice if people could help work through
what's left.
Plack::Test::ExternalServer allows your to run your Plack::Test tests
against an external server instead of just against a local application
through either mocked HTTP or a locally spawned server.
Plack::Middleware::ReverseProxy resets some HTTP headers, which were
changed by reverse-proxy. You can specify the reverse proxy address and
stop fake requests using the 'enable_if' directive in your app.psgi.
