Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Web Application DoS
From: Goetz Von Berlichingen <goetzvonberlichingen () comcast net>
Date: Wed, 01 Dec 2004 10:46:58 -0700

kcope wrote:
+-----------------------------------+
| Web Application Denial of Service |
+-----------------------------------+
There is a denial of service condition not in a specific software product
but in several web based applications.
The idea is to make a rather small HTTP request and get a big amount of
data back from the HTTP daemon.

Congratulations, you've discovered an application layer (Layer 7 for the OSI fans) denial of service attack. That first sentence is somewhat sarcastic, but this is not a new discovery. Now you need to generalize this to other applications. What about databases (although you implied one in your example of a web search application)? Even without a web front-end, databases are particularly susceptible to these. If one understands details such as space allocation and indexing formulas of a database, one can make a single query use up a totally disproportionate amount of resources. What about GUIs? Good displays require a lot of math to achieve those wonderful effects we all love. What about distributed applications? Can you pretend to be a client and force the server to thrash? How about pretending to be the server and making the client use up the computer's memory or processing power? Have fun but do it to increase the surety of systems - not for your own profit or amusement.

Goetz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault