Skip to content

micrictor/http2-rst-stream

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
client.go
client.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
server.crt
server.crt
 
 
server.go
server.go
 
 
server.key
server.key
 
 

Repository files navigation

http2-rst-stream

Sort of like Slowloris, but for HTTP2. A proof of concept for CVE-2023-44487

This package contains a client that sends HTTP2 stream resets (RST_STREAM) to a local server. It does this by misusing a Go HTTP client error handler that sends a reset if the request Body is longer than the request Content-Length.

To run:

go build && ./http2-rst-stream

It intentionally does not allow targeting of remote web servers out of the box. I'm not trying to help people break stuff.

Original inspiration: https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

4 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages