The Heartbleed bug


  • This application demonstrates the Heartbleed bug (website) in the OpenSSL library, that was reported in April 2014.

  • For purposes of demonstration, we have setup a server vulnerable to this bug, that you will simulate a heartbleed attack against.

  • For comparison purposes, we also provide a server that has been patched to fix this bug.

  • Briefly, a missing validation step in the OpenSSL library, could allow a hacker to gain access to sensitive information on a server.

  • As part of the handshake protocol between a client and server, a "heartbeat" message is sent from the client, which is then relayed back from the server.

  • The client is also responsible for sending the length of its heartbeat message, which the server uses to determine the bytes from memory to be sent back to the client.

  • A spurious length value, that isn't validated against the actual client message could cause the server to return adjacent blocks from its memory where the client message is stored.

  • In this demonstration, you will be provided a web terminal emulation container that plays the role of the hacker.

  • A Python script is also provided that simulates the attack, by sending a heartbeat message to the buggy server with a bogus length value.

  • Running the script should display the message returned from the server.

  • Since this exploit depends on retrieving useful information from adjacent memory blocks by chance, you should run the script several times to see if you can get a hold of any additional data from the server's memory.

  • You should repeat the experiment, by using the Python script to attempt a Heartbleed attack against the patched server and compare the results.


  • Ready to go? Try It !
  • Note: You will have around 20 minutes to test this application.