HTTP/2 Rapid Reset

This repository is a small Python HTTP/2 security lab rather than a real-world offensive exploit kit. It contains three executable Python files: a deliberately vulnerable HTTP/2 TLS server (basic_server.py), a hardened comparison server (hardened_server.py), and an attack/test harness (compare.py). README.md explains the lab goals and the three simulated attacks. The main offensive logic is in compare.py. It creates TLS client connections with certificate validation disabled, negotiates HTTP/2 via ALPN 'h2', and runs three protocol-abuse tests against local targets. The Slowloris test opens a stream, sends request headers without END_STREAM, and then idles to hold server resources. The Rapid Reset test repeatedly opens streams and immediately resets them, modeling the HTTP/2 Rapid Reset issue associated with CVE-2023-44487. The Header Flood test sends a request with roughly 304 headers, including 300 junk headers, to simulate an HPACK/header allocation pressure attack. These are denial-of-service style behaviors only; there is no RCE, shell payload, persistence, or post-exploitation logic. basic_server.py implements a minimal HTTP/2-over-TLS server on 127.0.0.1:8443. It generates a temporary self-signed certificate using openssl, accepts HTTP/2 requests, logs request metadata, and intentionally lacks protections such as header limits, timeout enforcement, rate limiting, or stream abuse handling. It tracks RST counts only for display and takes no defensive action. hardened_server.py implements the defended counterpart on 127.0.0.1:8444. Although the provided content is truncated, the visible code and README indicate five defenses: a watchdog that closes idle connections with open streams (Slowloris mitigation), IP banning after excessive RST_STREAM activity, header-count enforcement with stream reset, request rate limiting, and MAX_CONCURRENT_STREAMS advertisement/capping. The code maintains shared state for banned IPs, RST counters, request timestamps, and per-connection watch data. Overall purpose: this repository is best classified as a proof-of-concept lab for demonstrating HTTP/2 DoS techniques and validating mitigations in a controlled localhost environment. It is an exploit simulation/test harness, not a weaponized exploit repository.

Single-file repository containing a Python proof-of-concept for CVE-2023-44487 (HTTP/2 Rapid Reset), embedded directly in README.md. Despite the filename, the README contains executable Python code with a shebang and a standard main() entry point. The script uses only Python standard library modules (argparse, socket, ssl, struct, sys, time). Core behavior: it establishes a TLS client connection to a user-supplied host and port, negotiates ALPN with preference for 'h2', sends the HTTP/2 client preface and an empty SETTINGS frame, then constructs a burst of odd-numbered HTTP/2 streams where each stream sends a minimal HPACK-encoded GET / HEADERS request and immediately follows it with RST_STREAM using the CANCEL error code. This reproduces the Rapid Reset traffic pattern associated with the vulnerability. The code includes helper routines to build raw HTTP/2 frames, generate a minimal HPACK header block for ':method GET', ':scheme https', ':path /', and ':authority <host>', read available bytes from the TLS socket, count GOAWAY frames in returned data, and configure TLS verification behavior. By default, certificate verification is disabled unless --tls-verify is supplied; ALPN must negotiate to 'h2' or the PoC exits. Observed capability is limited to protocol-level testing/evidence collection rather than post-exploitation. It does not deliver a shell, execute commands on the target, or persist access. Its output reports bytes received before and after the burst, counts GOAWAY frames, and notes whether the connection was reset or remained open, which helps determine whether mitigations are present. Overall, this is a legitimate network PoC/exploit-style test script for HTTP/2 Rapid Reset, primarily useful for validation and evidence gathering against authorized HTTPS targets.

This repository is a small Dockerized proof-of-concept lab for an HTTP/2 rapid reset denial-of-service attack. The main exploit logic is in rapid_reset_v1/attacker/attack.py, a Python script using the h2 library and raw sockets to establish an HTTP/2 connection, send repeated GET / HEADERS frames, and immediately cancel each stream with RST_STREAM error code 0x8. The loop increments odd-numbered stream IDs until a very large upper bound, effectively creating a sustained flood intended to stress the target's HTTP/2 stream handling. Repository structure is minimal: attacker/Dockerfile builds a Python 3.13-slim container with h2 installed; docker-compose.yaml defines two services, 'victim' and 'attacker', on a shared Docker bridge network; nginx/nginx.conf configures the victim nginx server to listen on port 80 with HTTP/2 enabled. The victim uses nginx:1.25.2 and is exposed on host port 8080, though the attacker container targets the internal Docker hostname 'victim' on port 80. The exploit is a real offensive network DoS proof of concept rather than a detector. It does not include post-exploitation or code execution payloads; its sole capability is service disruption through HTTP/2 protocol abuse. The hardcoded target and simple loop make it operational but not highly flexible.

Repository is a Rust workspace implementing an HTTP/2 stress-testing and attack-simulation framework (“Phoenix”) with raw frame-level control. Structure/purpose: - phoenix-cli/: Main CLI binary `phoenix` (clap-based) to run attacks (`phoenix attack <type> --target ...`) and a `scan` subcommand (implementation not fully shown due to truncation). Produces terminal summaries and optional JSON reports. - phoenix-attacks/: Core attack modules implementing an `Attack` trait. Modules craft and send raw HTTP/2 frames over TLS using phoenix-core’s `RawH2Connection`, plus a “universal” adaptive module using the `h2` crate. - phoenix-core/: Low-level TLS + raw HTTP/2 frame read/write, frame builders (SETTINGS, HEADERS, RST_STREAM, PING, CONTINUATION, etc.), and a connection pool. Includes a no-op TLS verifier for testing. - phoenix-metrics/: Atomic counters + HDRHistogram latency tracking and a ratatui terminal dashboard. - phoenix-report/: JSON report writer and terminal summary formatting. - target-server/: Reference nginx+Python analytics target environment for measuring HTTP/2 stream rates via access logs and broadcasting live stats over WebSocket. Exploit/attack capabilities (network DoS/stress): - Rapid Reset (CVE-2023-44487): sends HEADERS then immediately RST_STREAM at very high rates across multiple connections to burn server CPU/memory on stream lifecycle churn. - CONTINUATION flood (CVE-2024-27983 family): sends HEADERS without END_HEADERS then many CONTINUATION frames to force server buffering/processing of oversized header blocks. - HPACK bomb: manipulates HPACK dynamic table by inserting a large header value and referencing it many times to amplify decompression memory usage. - SETTINGS flood: sends many SETTINGS frames without waiting for ACKs to overload server frame queues/ACK handling. - PING flood: sends many PING frames (optionally tracking ACKs) to consume server resources. - Load test: legitimate GET request generation over raw HTTP/2 for throughput/latency measurement. - Universal module: probes server (ALPN/SETTINGS) and adapts behavior; includes a rapid-reset-like mode using `h2` stream resets. Notable security-relevant implementation details: - Multiple modules construct URLs as `https://<host>:<port>` and rely on ALPN h2. - `phoenix-core/connection.rs` and `phoenix-attacks/universal.rs` implement a dangerous/no-op certificate verifier (accepts any cert), enabling testing against self-signed targets but also reducing safety if misused. Overall, this is an operational, multi-module HTTP/2 attack/stress framework rather than a single exploit PoC; it is designed to generate protocol-accurate abusive HTTP/2 frame patterns and measure their effects.

Phoenix is a Rust workspace implementing an HTTP/2 stress-testing / attack-simulation toolkit that operates at the raw frame level over TLS (ALPN h2). It is not a Metasploit/Nuclei-style framework module; it is a standalone multi-crate project. Repository structure (35 files): - phoenix-core/: low-level primitives for HTTP/2 over TLS - connection.rs: establishes TCP+TLS connections, enforces ALPN 'h2', sends HTTP/2 preface and SETTINGS handshake, and provides raw frame read/write. - frame.rs: constructs/parses HTTP/2 frames (SETTINGS, HEADERS, RST_STREAM, PING, CONTINUATION, etc.) and includes minimal HPACK encoding helpers. - pool.rs/config.rs/error.rs: connection pooling, target/attack configuration validation, and error types. - phoenix-attacks/: attack modules implementing an Attack trait with AttackContext/AttackResult - rapid_reset.rs (CVE-2023-44487): repeatedly sends a minimal GET HEADERS frame then immediately RST_STREAM on many streams across multiple connections; optional RPS rate limiting via governor. - continuation_flood.rs (CVE-2024-27983 family): sends HEADERS without END_HEADERS then many CONTINUATION frames (optionally ending with END_HEADERS) to force server buffering/processing. - hpack_bomb.rs: sends SETTINGS to enlarge header table and crafts HPACK blocks that add a large dynamic-table entry then reference it many times to amplify decompression memory/CPU. - settings_flood.rs: high-rate SETTINGS frames without waiting for ACKs to stress server queues/ACK handling. - ping_flood.rs: high-rate PING frames; optionally waits for ACKs to measure handling/latency. - load_test.rs: placeholder that currently errors out (notes Rust 1.83+ requirement), indicating the “legitimate load test” path is not operational in the provided snapshot. - phoenix-metrics/: atomic counters + HDRHistogram latency tracking and a ratatui/crossterm live dashboard. - phoenix-report/: JSON report writer and terminal summary printer. - phoenix-cli/: clap-based CLI skeleton with subcommands Attack/Scan/Version; in the provided code, attack execution appears largely “simulated” (prints progress, builds a MetricsSnapshot) rather than wiring into phoenix-attacks’ real network modules. - index.html: marketing/landing page content (not part of exploit logic). - test_phoenix.sh: build/test helper script. Exploit/attack capabilities: - Network-based HTTP/2 DoS/stress generation over TLS against a user-supplied target host/port. - Implements multiple protocol-abuse patterns (Rapid Reset, CONTINUATION flood, HPACK bomb, SETTINGS flood, PING flood) by crafting and sending raw HTTP/2 frames. - Concurrency: multiple parallel connections/tasks; stream ID management; optional rate limiting (Rapid Reset). - Telemetry: metrics collection (requests/frames, errors, bytes, latency histogram) and reporting. Notable targeting/assumptions: - Targets are generic HTTP/2 servers; Rapid Reset explicitly references CVE-2023-44487; CONTINUATION flood references CVE-2024-27983 family. - Core TLS connector verifies ALPN is 'h2' and defaults to HTTPS/443; config validation in phoenix-core requires https scheme. Fingerprintable endpoints/observables: - No hardcoded attacker-controlled C2/IPs/domains; endpoints are user-provided targets. - Only example URLs (https://example.com, https://test.com) and repository links appear in docs/tests. - Local file observables include report output paths (user-specified) and standard Rust build artifacts; no registry keys or OS persistence behavior present.

Repository contains a single Go-based application-layer stress/DoS suite named “Slayer 7”. Structure: (1) README.md documents usage, flags, and six attack methods; (2) Slayer.go is the main implementation (~95KB) and entry point; (3) go.mod/go.sum define dependencies; (4) slayer7-banner.svg is branding. Core capabilities implemented in Slayer.go (per README and imports): - Multi-method HTTP/S traffic generation with large concurrent worker pools (default 2048) and duration-based runs. - HTTP GET flood and HTTP POST flood (randomized form/JSON payloads; randomized User-Agent list). - RUDY/Slow POST technique: holds connections open by advertising large Content-Length and dripping bytes at intervals. - API JSON flood: targets REST-like endpoints with randomized JSON bodies. - WebSocket flood using github.com/gorilla/websocket: connection flood plus message bombardment. - HTTP/2 Rapid Reset method using golang.org/x/net/http2 and hpack: crafts/writes HTTP/2 frames and performs rapid stream resets consistent with CVE-2023-44487-style attacks. - Proxy rotation support: reads a proxy file and routes traffic via HTTP/HTTPS/SOCKS5 proxies (format shown in README). No hardcoded victim infrastructure is present; targets are fully user-supplied via the -t flag. Fingerprintable endpoints are limited to example URLs and proxy formats in the README and the expected proxy list file path provided by the user.

Repository contains a small Bash-based DoS testing tool for CVE-2023-44487 (HTTP/2 Rapid Reset) with a minimal README and a single large script (script.sh) as the entry point. Key capabilities: - Detects whether the target supports HTTP/2 using curl (HTTP/2 response detection) and a fallback TLS ALPN probe via openssl s_client. - Provides multiple attack/test modes (as described in README and script variables): - rapid_reset: attempts to reproduce Rapid Reset behavior by rapidly creating and resetting streams. - stream_bomb: creates excessive numbers of streams with varying/randomized paths. - header_overflow: sends very large header values to stress header processing. - zero_window / mixed_attack: additional stress patterns combining techniques and/or flow-control edge cases. - Supports configurable concurrency (THREADS), duration (TEST_DURATION), target host/port, and writes results to cve_2023_44487_results.txt. Structure/purpose: - README.md: brief description and lists attack modes; references CVE-2023-44487. - script.sh: interactive, menu-driven tester with dependency checks (curl/openssl required; nghttp/h2load/nmap optional), HTTP/2 capability detection, header/payload generation routines (partially truncated in provided content), and execution of selected attack modes with basic statistics and final recommendations. Overall, this is an operational network stress/DoS testing script aimed at HTTP/2 servers and intermediaries potentially vulnerable to Rapid Reset-style resource exhaustion.

This repository is a Proof-of-Concept (PoC) for the HTTP/2 Rapid Reset DDoS vulnerability (CVE-2023-44487). It provides a complete testbed using Docker and Containernet to simulate an attack scenario. The structure includes: - An 'attacker' component (Go program) that implements the Rapid Reset attack by opening multiple HTTP/2 connections to a target server and rapidly sending HEADERS and RST_STREAM frames to exhaust server resources. - A 'frontend' service (Nginx 1.23 with HTTP/2 enabled and custom configuration) acting as the vulnerable target. - A 'backend' service (FastAPI app) providing an API endpoint, proxied by the frontend. - Infrastructure scripts (Python, Bash, Dockerfiles, YAML) to automate setup, orchestration, and network topology using Containernet and Mininet. The main exploit logic is in 'infra/attacker/main.go', which is configurable via command-line arguments (number of connections, requests, target URL, etc.). The testbed is designed to demonstrate the impact of the attack, causing the frontend server to become unresponsive. The repository is not a weaponized exploit but a research/PoC tool for demonstrating the vulnerability in a controlled environment.

This repository is a proof-of-concept (PoC) exploit for CVE-2023-44487, the HTTP/2 Rapid Reset Attack. The exploit is implemented in Python (main.py) and leverages the h2 library to interact with HTTP/2 servers. The attack works by rapidly opening streams with HEADERS frames and immediately sending RST_STREAM frames to reset them, causing the server to expend resources on setup and teardown. This technique bypasses the max concurrent streams limit, allowing the attacker to overwhelm the server and potentially cause a denial of service (DoS). The exploit can target a single URL or multiple URLs from a file, and allows configuration of the number of concurrent connections, attack duration, and delay between resets. The README.md provides usage instructions and context about the vulnerability. The code is a functional PoC and does not include weaponized features such as automated target discovery or advanced evasion. The only code file is main.py, which is the entry point and contains all exploit logic. No hardcoded IPs or domains are present; targets are supplied by the user at runtime.

This repository provides an advanced Python-based exploit tool for CVE-2023-44487 (HTTP/2 Rapid Reset). The main exploit script is 'rapid_reset_test.py', which implements multiple sophisticated attack patterns against HTTP/2 servers by rapidly sending and resetting streams to exhaust server resources, resulting in a Denial of Service. The tool is highly configurable, supporting over 40 options for connection management, timing, protocol customization, header manipulation, and monitoring. It is designed for authorized security testing and includes safety features such as confirmation prompts and rate limiting. The repository also includes demonstration scripts ('demo.py', 'advanced_demo.py') for educational purposes, a self-test script ('test_http2_frames.py'), and comprehensive documentation. No hardcoded real-world targets are present; all endpoints are examples. The exploit is operational and can be used to test the effectiveness of mitigations against the HTTP/2 Rapid Reset vulnerability.

This repository provides a Proof of Concept (PoC) for exploiting CVE-2023-44487, the HTTP/2 Rapid Reset vulnerability. The main file, 'CVE-2023-44487.py', allows users to check if a target server supports HTTP/2 and is potentially vulnerable, and to launch a Rapid Reset attack by rapidly opening and resetting HTTP/2 streams. The script interacts with the target over port 443 (HTTPS) and uses the 'h2' Python library to craft HTTP/2 frames. A secondary script, 'Rapid Reset_Slowloris.py', combines the HTTP/2 Rapid Reset attack with a classic Slowloris attack over HTTP/1.1 (port 80), allowing for simultaneous DoS attempts using both protocols. The 'latency_monitor.py' script is a utility for monitoring the response time and availability of a target server, useful for observing the impact of the attacks. The repository is structured as follows: - 'CVE-2023-44487.py': Main PoC for HTTP/2 Rapid Reset (CVE-2023-44487) - 'Rapid Reset_Slowloris.py': Combined HTTP/2 Rapid Reset and HTTP/1.1 Slowloris attack - 'latency_monitor.py': Tool for monitoring server latency - 'requirements.txt': Python dependencies - 'README.md': Documentation and usage instructions No hardcoded target endpoints are present; the user is prompted for the target server. The exploit is a functional PoC and does not include weaponized or automated targeting features. It is intended for educational and research purposes, as stated in the README.

This repository demonstrates a proof-of-concept exploit for CVE-2023-44487 (HTTP/2 Rapid Reset Attack) targeting Apache HTTP Server with HTTP/2 enabled. The main exploit is implemented in Go (reset-rabbit-research.go), which rapidly sends HTTP/2 requests and immediately resets the streams, overwhelming the server and causing a denial-of-service condition. The repository includes detailed setup instructions for both attacker and victim environments, using Docker to deploy a vulnerable Apache server and Webmin for real-time monitoring. Mitigation guidance is provided via IPTables rules to rate-limit incoming HTTPS traffic. The exploit is educational, with supporting documentation and visual evidence of successful DoS. The only code file is the Go exploit; other files are documentation, setup guides, and a Dockerfile for the vulnerable environment. The attack vector is network-based, exploiting HTTP/2 over HTTPS. The main fingerprintable endpoints are the target server's HTTPS URL and the Webmin monitoring interface.

This repository is a Python-based proof-of-concept (PoC) exploit for CVE-2023-44487, which targets HTTP/2 servers with a denial-of-service (DoS) attack. The main file, 44487.py, loads configuration from a .env file (example.env provided) specifying the target URL, total number of requests, and concurrency level. The script uses asyncio and httpx to launch a large number of concurrent HTTP/2 GET requests to the specified target, tracking and reporting statistics such as success rate, error rate, and requests per second. The README provides brief usage instructions. There are no hardcoded endpoints; the target is user-supplied via environment variables. The exploit is a PoC and does not include advanced payloads or weaponization features.

This repository provides a proof-of-concept exploit for CVE-2023-44487, the HTTP/2 Rapid Reset vulnerability. The main exploit logic is implemented in 'rapidresetclient.py', a Python script that establishes a TLS connection to a user-specified HTTPS server, negotiates HTTP/2, and then sends a configurable number of HEADERS frames followed by RST_STREAM frames in rapid succession. This simulates the attack vector used in real-world DDoS attacks exploiting this vulnerability. The script allows customization of the number of requests, concurrency, delays, and target URL/port. Two batch files, 'cve.bat' and 'cve_python.bat', provide user-friendly wrappers for running the exploit on Windows (with a compiled binary) and other systems (using Python), respectively. The README explains the vulnerability, usage, and mitigation steps. The exploit is not weaponized but serves as a practical test tool for server administrators to assess their exposure to CVE-2023-44487. The only hardcoded endpoint is 'https://localhost:443', but the user is prompted to enter any target URL and port at runtime.

This repository provides two Python proof-of-concept scripts demonstrating exploitation of CVE-2023-44487 (HTTP/2 Rapid Reset). The exploit leverages the h2spacex library to open a large number of HTTP/2 streams to a target server (default: abc.example.com:443) and immediately sends RST_STREAM frames to each, aiming to exhaust server resources and potentially cause denial of service. - 'cve-2023-44487-example1.py' sends 10,000 GET requests, resetting each stream immediately. - 'cve-2023-44487-example2.py' sends 100,000 POST requests using a single-packet attack technique, also resetting each stream, and uses threading to open multiple connections in parallel. The repository is structured with a README explaining the attack, two example exploit scripts, and references to the h2spacex library and further reading. The scripts are not weaponized but serve as proof-of-concept for research and testing of the HTTP/2 Rapid Reset vulnerability.

This repository provides a proof-of-concept exploit and measurement tooling for CVE-2023-44487, the HTTP/2 Rapid Reset vulnerability. The main exploit is implemented in Go (main.go) and allows the user to configure various parameters (number of frames, connections, routines, delays, etc.) to send a rapid sequence of HTTP/2 HEADERS and RST_STREAM frames to a target server, attempting to bypass stream concurrency limits and induce excessive server load. The default target is 'https://localhost:443/', but this can be changed via command-line flags. The exploit prints detailed summaries of the server's responses, including frame types and reasons for connection termination. The repository also includes Python tooling (in the 'tooling' directory) for automated testing and measurement, including scripts to run attacks against multiple Dockerized server instances (nginx, apache, etc.), collect latency, CPU, and memory statistics, and generate plots for analysis. The Python scripts are intended for research and benchmarking, not for direct exploitation. Overall, the repository is structured for both manual and automated testing of HTTP/2 servers for susceptibility to the Rapid Reset attack, with a focus on research and measurement rather than weaponization.

This repository contains a Go-based proof-of-concept exploit for CVE-2023-44487, the HTTP/2 Rapid Reset DDoS vulnerability. The main file, 'main.go', implements a minimal HTTP/2 client that establishes a TLS connection to a specified server, negotiates HTTP/2, and then sends a configurable number of HEADERS frames followed by RST_STREAM frames in rapid succession. The tool allows customization of the number of requests, concurrency, and timing between frames, making it suitable for testing server exposure and mitigation effectiveness against this DDoS vector. The README provides clear usage instructions, flag descriptions, and an example command. No hardcoded attack targets are present; the user specifies the target via the 'url' flag. The code is self-contained, does not rely on external exploit frameworks, and is intended for security testing and research purposes.

This repository is a proof-of-concept exploit for CVE-2023-44487, the HTTP/2 Rapid Reset attack. The main exploit logic is implemented in 'main.py', which uses the Twisted and h2 Python libraries to establish multiple HTTP/2 connections to a target server. The script allows the user to specify the target host, path, headers, port, number of requests, maximum parallel streams, and number of parallel TCP connections. It then sends a large number of HTTP/2 streams and rapidly resets them, aiming to exhaust server resources and cause a denial of service. The exploit is configurable via command-line arguments and is intended for testing the vulnerability on HTTP/2-enabled servers. The repository includes standard project files (LICENSE, README.md, poetry.lock, pyproject.toml) and is structured for use with Python Poetry for dependency management. No hardcoded attack targets are present; the user must supply the target endpoint at runtime.