Slow HTTP POST vulnerability issue on web site scan

Question

Our website scans from a thrid party tool for vulnerability. I am getting Slow HTTP post issue with my IIS. I am using IIS version 7.5

I set its content-length to 100 in the header section of request filtering and also set the maxAllowedlenght, maxQuerystring and maxUrl but still that Slow HTTP POST is coming in every scan.

So please help me out for reducing that time of the error or what is the setting for IIS or I will write code in my C#.

Answer 1

You get the Slow HTTP post issue because the server allows a request to be kept alive for very long by sending data very slowly.

You have started well by setting the request limits. What's left to do is:

• Set <headerLimits> to configure the type and size of header your web server will accept.

• Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the <limits> and <WebLimits> elements to minimize the impact of slow HTTP attacks.

Some more to read: https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks

Answer 2

Adding the following code solved this problem on a Qualys scan reporting 150085 Slow HTTP POST vulnerability on a Microsoft IIS Server 2016 running PHP, I would assume it should have similar results on IIS 7.5.

<system.webServer>
      <security>
         <requestFiltering>
            <verbs allowUnlisted="false">
                <clear />
                <add verb="GET" allowed="true"/>
                <add verb="POST" allowed="true"/>
            </verbs>
            <requestLimits maxQueryString="1024" maxUrl="2048">
               <headerLimits>
                  <add header="Content-type" sizeLimit="100" />
               </headerLimits>
            </requestLimits>
         </requestFiltering>
      </security>
</system.webServer>