[MEDIUM] HTTP Server 缺少超时配置:Slowloris DoS 攻击风险 #11
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
漏洞描述
cmd/server/app.go:74-77创建http.Server时未配置任何超时参数:缺少
ReadHeaderTimeout、ReadTimeout、WriteTimeout和IdleTimeout。风险
Slowloris 攻击:攻击者可以发送不完整的 HTTP 请求(极慢地发送头部),保持连接打开,耗尽服务器的连接池,导致正常用户无法访问。
http.Server无默认超时保护修复建议
严重程度
MEDIUM — 低门槛 DoS 攻击向量,建议尽快修复。