Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-44487 PoC — Apache HTTP/2 资源管理错误漏洞

Source
https://github.com/internalwhel/rapidresetclient
Associated Vulnerability
Title:Apache HTTP/2 资源管理错误漏洞 (CVE-2023-44487)
Description:The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Description
Tool for testing mitigations and exposure to Rapid Reset DDoS (CVE-2023-44487)
Readme
# Rapid Reset Client

Rapid Reset Client is a tool for testing mitigations and exposure to CVE-2023-44487 (Rapid Reset DDoS attack vector). It implements a minimal HTTP/2 client that opens a single TCP socket, negotiates TLS, ignores the certificate, and exchanges SETTINGS frames. The client then sends rapid HEADERS frames followed by RST_STREAM frames. It monitors for (but does not handle) server frames after initial setup, other than to send to stdout. This functionality is easily removed from source if it's too annoying. 

## Prerequisites

- [Go](https://golang.org/dl/)

Tested on go1.21.3 on arm64.  

## Installation

### Clone the Repository

```
git clone https://github.com/internalwhel/rapidresetclient.git
```

### Installing

```
cd rapidresetclient

go get golang.org/x/net/http2

go get golang.org/x/net/http2/hpack

go build -o rapidresetclient
```

### Flags

- `requests`: Number of requests to send (default is 5)

- `url`: Server URL (default is `https://localhost:443`)

- `wait`: Wait time in milliseconds between starting workers (default is 0)

- `delay`: Delay in milliseconds between sending HEADERS and RST_STREAM frames (default is 0)

- `concurrency`: Maximum number of concurrent workers (default is 0)

### Example

Send 10 HTTP/2 requests (HEADERS and RST_STREAM frames) over a single connection to https://example.com using 5 workers, a 10 ms delay between sending HEADERS and RST_STREAM frames, and a wait time of 100 ms between each invocation.

```
./rapidresetclient  -requests=10  -url  https://example.com  -wait=100  -delay=10 -concurrency=5
```

## Built With

- [http2](https://pkg.go.dev/golang.org/x/net/http2) - Package that exposes low-level HTTP/2 primitives

- [http2/hpack](https://pkg.go.dev/golang.org/x/net/http2/hpack) - HTTP/2 header compression package

## Authors

-  Jeffrey  Lyon  -  *Initial  release*  - @secengjeff

See also the list of [contributors](https://github.com/internalwhel/rapidresetclient/contributors)

## License

This project is licensed under the Apache License - see the [LICENSE](LICENSE) file for details

## Acknowledgments

This work is based on the [initial analysis of CVE-2023-44487](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack) by Juho Snellman and  Daniele Iamartino at Google.
File Snapshot

 [4.0K]  /data/pocs/3bbd4e97889706e873207fcfcd36246dbac2246b
├── [ 519]  CHANGELOG.md
├── [ 140]  go.mod
├── [ 308]  go.sum
├── [ 11K]  LICENSE
├── [5.9K]  main.go
└── [2.3K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →