Full Disclosure mailing list archives
Re: Denial of Service in WordPress
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 29 Jun 2013 11:03:45 -0700
I.e. this is 21 times / infinite times more effective for attack.
Not really, in terms of the bandwidth you can use up / the number of
requests you can create. You're essentially trading this:
for (var i = 0; i < whatever; i++) {
var x = new XMLHttpRequest(); /* or new Image() or whatever */
...
}
...for this:
for (var i = 0; i < whatever / redirect_limit; i++) {
for (var j = 0; j < redirect_limit; j++) { /* implicit loop */
...
}
}
...and it shouldn't matter.
You can generate a ton of expensive traffic from within JS these days.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Denial of Service in WordPress, (continued)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 28)
- Re: Denial of Service in WordPress Jann Horn (Jun 28)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 29)
- Re: Denial of Service in WordPress Cool Hand Luke (Jun 30)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress Jann Horn (Jun 27)
- Re: Denial of Service in WordPress Michal Zalewski (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 29)
- Re: Denial of Service in WordPress Michal Zalewski (Jun 29)