The OWASP HTTP Post Tool allows you to test your web applications to ensure its stability from http get and HTTP POST attacks. This tool was programmed by the author to over come the short comings of other
HTTP attack tools such as Slowloris and PyLoris (corrected by Motoma). In other words this QA tool was created to allow you to test your web applications to ensure its stability from HTTP GET and HTTP POST attacks. According to the author, these tools are easier to Detect and the following are the defects of the HTTP GET DDOS attack:
Does not work on IIS web servers or web servers with timeout limits for HTTP headers.
Easily defensible using popular load balancers, such as F5 and Cisco, Reverse proxies and certain Apache modules, such as mod_antiloris.
Anti-DDOS systems may use delayed binding or TCP Splicing to defend against HTTP GET attacks.
So, this tool uses HTTP POST requests, instead of HTTP GET requests to attack a target. Before we get into the facts as to why this tool might work.
Now, back to the reasoning – A HTTP POST request includes a message body in addition to a URL used to specify information for the action being performed. This body can use any encoding, but when web pages send POST requests from an HTML form element the Internet media type is “application/x-www-formurlencoded“. The “Content-Length” field in the HTTP Header tells the web server how large the message body is, for e.g., “Content-Length = 1000”. The HTTP Header portion is complete and sent in full to the web server, hence bypassing IIS inherent Protection.
For e.g., Content-Length = 1000 (bytes). The HTTP message body is properly URLencoded, but, it is sent at,1 byte per 110
seconds (for example). Multiply such connections by 20,000 and your IIS web server will be DDOSed! Most shockingly, web servers can accept up to 2GB worth of content in a single HTTP POST request!
