Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Denial of Service in WordPress
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 29 Jun 2013 11:03:45 -0700

I.e. this is 21 times / infinite times more effective for attack.

Not really, in terms of the bandwidth you can use up / the number of
requests you can create. You're essentially trading this:

for (var i = 0; i < whatever; i++) {
   var x = new XMLHttpRequest(); /* or new Image() or whatever */
   ...
}

...for this:

for (var i = 0; i < whatever / redirect_limit; i++) {
  for (var j = 0; j < redirect_limit; j++) { /* implicit loop */
    ...
  }
}

...and it shouldn't matter.

You can generate a ton of expensive traffic from within JS these days.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]