Hello and welcome back guys. Today let us learn about Denial of service.
Web applications are meant to provide service to their users, be it e-commerce, banking, retail, entertainment, or any other service. If the web application is not providing the service it is meant to be, then it no longer has any purpose. So, what if the web application is forcefully stopped from providing the service it offers to its users. The company has to face the consequences.
For example, let us take amazon. It is one of the busiest e-commerce platforms available out there. More than thousands of items are purchased around the globe in a single hour. So what if Amazon itself is not available for an hour. The whole world which lives on it will blackout for that hour, and all the services it provides like AWS, shopping, and Entertainment services will go down eventually. This is the biggest nightmare for any organization. Not being able to provide services is what every organization is worried about, as this can cost them, valuable customers.
What is Denial Of Service
As we have seen above what could be the effects if web applications don’t provide their services. So, if a person is trying to get that particular organization down by making its services unavailable, then it is called a Denial of Service attack. The Wikipedia definition of Denial of Service is “denial-of-service attack is a cyber-attack in which the perpetrator(malicious attacker) seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network”. We simply call it a DOS attack.
This attack is again divided into two types.
Denial of Service (DOS)
Distributed Denial of Service (DDOS)
Let us learn about each one of them.
Denial of Service
The main objective of this attack is to make the resources available on the system to be used relentlessly, so that no other operation could be performed, which makes the service unavailable to users.
This can be caused in many ways
Buffer Overflow Attacks
In this memory, buffer overflow is done which causes the system to consume all the CPU reserves, hard disk space, memory, and CPU time. This eventually results in system crashes, slowing down of the system, and server problems causing the Denial of Service attack.
Flood Attacks
In this attack, the attacker sends huge amounts of requests or packets more than the capacity of the server and making it unavailable for intended users. To successfully perform this attack the attacker needs to have more bandwidth than the web server.
ICMP Flood
In this, the attacker sends spoofed packets to ping every computer on the network, instead of one system. This causes the network to amplify its traffic. This attack is also known as the smurf attack or ping of death.
Distributed Denial of Service
This is simply a DOS attack but more than one attacker is overwhelming the server with requests. In a DOS attack, there is only one attacker or one place from which the attack takes place. But in DDOS, the attack is distributed among several other attackers and they perform the same routine as DOS to make the service unavailable. Here the origin of the attack is distributed, so it is called Distributed Denial of Service.
Impact of DOS
The impact could be devastating as we have already discussed before.
Genuine users are not able to access resources
Severe outage and monetary loss if not brought under control
Customers will be lost, as services are not available and more importantly they may choose others who provide the same services
Costs the reputation of the organization
Defending against DOS
Using a firewall, which only allows genuine requests
Using load balancers, which can divert the requests to other servers if more requests are coming to one server.
Having restrictions on the number of requests that can come from an IP
Moving all business-critical applications to the cloud or to a separate public subnet
Active monitoring of servers
Using anti-DDOS services and updating it regularly
Bug hunter methodology
Now let us see how can this be vulnerable in a web application. This is not my finding. I have seen it somewhere and posted it here, so more people would know. It is called an application-level DOS attack.
Steps to find it
Find a website.
Go to the sign-up form and fill in your details.
While entering the password, give a long string of like say 100000 characters.
See, if the application is accepting it.
If it is, you can see a slight delay in the response of the web application in your next step.
To check whether the application is really accepting the string or not, simply switch on your burp and capture the request you are sending and see if the string is having > 100000 characters.
If the string being taken is of only <100 characters, then there is no vulnerability.
This is called Application Level DOS.
Check the scope before you proceed.
Impact
Hashing such a large password will have significant consumption of resources.
The attacker may perform this from various sources simultaneously which can lead to DDOS.
Remediation
Keeping restrictions on how many characters the user can enter as his password. Having a limit like 72, or 48characters can mitigate this vulnerability.
Other ways to find this vulnerability
After logging in to a website, go to the settings page.
Select the change password option and check this function too for the same vulnerability.
If you can give >100000 characters, then you have found yourself a nice bug.
This is a low-impact issue and some websites don’t even consider this as a vulnerability, but some consider this as a high vulnerability depending on how you report it. But this could be a great security measure.
Hope you enjoyed the article and learned something new today. Catch you all in the next post with another vulnerability. Check out my Instagram to know more about Tips and Tricks to finding bugs.
Till then take care and Happy Hacking!!!👋👋
