2012 : a critical security issue found on web servers
The Chaos Communication Congress in Berlin on Wednesday, security researchers pointed out dangerous vulnerabilities in popular scripting languages and web application platforms such as PHP, ASP.NET, Java and Python. Alexander 'alech' Klink from security firm n.runs and TU Darmstadt researcher Julian Wälde warned that the hashing methods used to find individual objects in large amounts of data are vulnerable to simple attacks which could, in turn, be exploited to launch massive "Denial-of-Service" (DoS) attacks
In order to test your server, we developed a sofware using this DoS method, called PostTester.
Send optimized hash via POST method
User interface for monitoring
Up to 200 simultaneous connections
Maximum request size: 8Mo
Java (Tomcat, Jetty, Glassfish...)
PHP (v5...)
OpenBravo, Compiere, SugarCRM, Wordpress, Zimbra, Joomla and 99% of dynamic websites (webmails, blogs, forums...)
In practice a single query of 1MB can block a server over a minute, a request of 2MB over 15 minutes! The majority of web servers are vulnerable. Web services such as ERP, messaging and online business applications can be exploited remotely with a single DSL line.
Publishers are beginning to provide patches to address this vulnerability.
Don't wait. Test your online service and install the updates if needed.
The colored blocks indicate the activity of the software, when the indicators turn red, the remote server is stalled by the sent request. A core of a server is 100% occupied by a single connection.
Important note: It is forbidden to use this software against a server that does not belong to you. To avoid this, the free version of PostTester is limited to local addresses (127.0.0.x, 10.xxx, 172.16.xx to 172.31.xx and 192.168.xx).
The pro version does not have this limitation but should only be used for testing on the servers that you own.
PostTester is developed by ILM Informatique in order to test its open source solutions (including the ERP OpenConcerto).
© 2012 ILM Informatique. All rights reserved. OpenConcerto is a registered trademark.