← Back to Papers
Pending UNDER REVIEW June 2026

Slow JSON Stream: A Low-Bandwidth Denial-of-Service Attack Against HTTP APIs with JSON Request Bodies

Abstract

Low-bandwidth DoS attack against HTTP APIs that accept JSON bodies. The attacker opens an HTTP/1.1 chunked connection and drips a valid JSON prefix at one byte per second, never sending the closing token. 90% of 41 evaluated targets are vulnerable under default configuration.

Slow JSON Stream is a low-bandwidth denial-of-service attack against HTTP APIs that accept application/json bodies.

How it works

The attacker opens an HTTP/1.1 connection with chunked Transfer-Encoding and drips a valid JSON prefix (e.g. {"items":[{...,}) at one byte per second, never sending the closing token. Slowloris does the same with HTTP headers and servers already cut it with client_header_timeout. This variant reaches the framework body reader and JSON parser, where most frameworks have no body timeout set by default.

Results

I evaluated 32 framework/runtime combinations and 9 infrastructure targets (proxies, WAFs, API gateways). 90% of the 41 targets are vulnerable under default configuration.

  • Tier 1 (exploitable at 64 connections): 6 targets, 5 frameworks plus Kong CE API Gateway
  • Tier 2 (no effective body timeout, connections accumulate indefinitely): 29 targets
  • Tier 3 (100% error rate under 64 connections): Flask sync and Rails
  • Tier 4 (resistant by default): 4 targets

The data, tools and Docker testbed are publicly available for exact replication.

Status: pending approval for publication.