http2-rst-stream

Sort of like Slowloris, but for HTTP2. A proof of concept for CVE-2023-44487

This package contains a client that sends HTTP2 stream resets (RST_STREAM) to a local server. It does this by misusing a Go HTTP client error handler that sends a reset if the request Body is longer than the request Content-Length.

To run:

go build && ./http2-rst-stream

It intentionally does not allow targeting of remote web servers out of the box. I'm not trying to help people break stuff.

Original inspiration: https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
client.go		client.go
go.mod		go.mod
go.sum		go.sum
main.go		main.go
server.crt		server.crt
server.go		server.go
server.key		server.key

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

client.go

client.go

go.mod

go.mod

go.sum

go.sum

main.go

main.go

server.crt

server.crt

server.go

server.go

server.key

server.key

Repository files navigation

http2-rst-stream

About

Releases

Packages

Languages

License

micrictor/http2-rst-stream

Folders and files

Latest commit

History

Repository files navigation

http2-rst-stream

About

Resources

License

Stars

Watchers

Forks

Languages