Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Denial of Service in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 29 Jun 2013 20:40:22 +0300

Hello Michal!

Yes, of course there are a lot of ways to make cross-site requests. But what is a benefit in using Looped DoS - do you see it? Looks like don't. I'll explain for you.

One standard request (via img and other tags in HTML, etc.) leads to single request to target site. One request with using of Looped DoS hole (such hole by itself or artificially created from looping two redirectors) leads to 21 requests - in case of using redirector/redirectors with server headers (after 21st request modern browsers will stop it). And in case if there will be old IE or "unlimited bot" or there will be used my bypass techniques (using JS or meta-refresh at least in one from two redirectors) to bypass browsers restriction - one request leads to infinite number of requests. I.e. this is 21 times / infinite times more effective for attack.

And besides using of link, frame or iframe to lead to Looped DoS, it's also possible to use other standard methods for making request. Such as img or other tags (in this case only server headers redirectors must be used). Which creates 21 (for modern browsers) or infinite number of requests (for old IE) from one image. Put a lot of images on forums and other sites, which allow img tag (via html or bbcode) to Looped DoS and there will be a lot of requests from single visitor of that page.

Browsers detect redirect loops to prevent accidental mishaps and
simplify troubleshooting, not to stop malicious attacks.

Yes, you are right. But exactly this functionality to stop redirect loops (in all modern browsers) can help mitigate such attacks. Just not all techniques of this attack. Also remember that your company's browser Chrome (and some other vendors too) was trying to prevent looped redirect with using JS, but not good enough - as I showed in my Refresh DoS attack in 2008 in my project Day of bugs in browsers. So browsers vendors need to improve their redirect loops protection.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site

----- Original Message ----- From: "Michal Zalewski" <lcamtuf () coredump cx>
To: "MustLive" <mustlive () websecurity com ua>
Cc: "Ryan Dewhurst" <ryandewhurst () gmail com>; "full-disclosure" <full-disclosure () lists grok org uk>
Sent: Friday, June 28, 2013 9:19 AM
Subject: Re: [Full-disclosure] Denial of Service in WordPress

Attack exactly overload web sites presented in endless loop of redirects. As
I showed in all cases of Looped DoS vulnerabilities in web sites and web
applications, which I wrote about during 2008 (when I created this type of
attacks) - 2013.

You do realize that any browser can be made to issue a *lot* of
requests to any other destination on the web - say, by instantiating a
bunch of images, leveraging CORS, navigating iframes, etc?

Browsers detect redirect loops to prevent accidental mishaps and
simplify troubleshooting, not to stop malicious attacks.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]