This Python 3 script creates;
- threads and makes GET API calls to any endpoint you specify.
- threads and makes POST API calls to any endpoint you specify.
Use this only on your own APIs to stress test and see how many concurrent requests your server can support, as well as testing the rate limit of your APIs. STRICTLY FOR EDUCATIONAL PURPOSE ONLY.
- Change the number of threads and how many requests each thread makes to adjust the number of total requests to make.
- Add the API URL endpoint to call (
make_requests.py).
To run: python3 stress_test.py
- Python3 requests (
pip install requests --user)
The most common type of Layer 7 attacks is so-called HTTP floods, which send seemingly legitimate requests in too large numbers. They are particularly effective when they target resource-hungry elements of the web application, such as large file downloads or form submissions. Read full article.
When flooding, the attacker wants to submerge the target server under many requests, to saturate its computing resources. Flooding works best when the server allocates a lot of resources in response to a single request.
Since POST requests include parameters, they usually trigger relatively complex processing on the server (e.g. database accesses), which are more expensive for the server than serving a much simpler GET. Thus, POST-based flooding tends to be more effective than GET-based flooding (it takes fewer requests to drown the server if the requests are POST). On the other hand, GET requests being much more common, it is often way easier for the attacker to enlist (involuntary) help in the flooding effort when GET-flooding.
Distributed under the MIT License. See LICENSE for more information.
Syafiqhadzir - @syafiqhadzir_ - inquiry@syafiqhadzir.dev
Project Link: https://github.com/ctsecurity/API-DOS_POC