Slow Post Vulnerability (R U Dead Yet) - Express.js - data rate limit Solution?

Question

I am trying to solve the issue of Slow Post Vulnerability on my application.

Issue: https://blog.qualys.com/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications

To limit the number of connections from a user, I have used express-rate-limit so that the application does not go unavailable.

const rateLimit = require('express-rate-limit')

const limiter = rateLimit({   windowMs: 60 * 1000, // 1 minute   max: 100 // limit each IP to 100 requests per windowMs })

app.use(limiter)

But If I try to test my application with slowtesttool and run a test with 2 connections (with rate 1 connection per sec and follow up data every 10sec), I see the connections never get closed.

I have set timeout to the connection as below, but it doesn't seem to work!

app.use((req, res, next) => {
  req.connection.setTimeout(30000, () => {
    req.socket.end()
  })
  next()
})

Is there a way I can limit the rate of accepting data, i.e. specifying the max time I can wait for every next chunk of body?

score 0 · Answer 1 · answered Jun 25 '20 at 17:41

0

One solution could be to use the capacities of your front webserver (I assume that you will expose your app behind a server such as nginx, apapche, caddy, ...).

Nginx and caddy have this built-it, others probably too.

answered Jun 25 '20 at 17:41

WoJ

27,165
48
180
345

Slow Post Vulnerability (R U Dead Yet) - Express.js - data rate limit Solution?

1 Answers1