On Thu, Jun 27, 2013 at 11:50:47PM +0300, MustLive wrote: > > This just affects the client though right? > > This DoS only going on client side unlike other types of DoS (see my > classification), but issue of web application is in allowing Looped DoS > state. You see error message very quickly because you are leaving in 2013 > (where already many browsers protect against simple form of Looped DoS) and > using secure browser - use a browser without this protection (like IE) and > have fun. Sooo... a bunch of browsers doing one request at a time (instead of doing a real attack) and which slow down if your server becomes unresponsive is a threat? Seriously, that might become a few hundred requests per second or so if a largeish amount of clients participates, but that shouldn't be able to bring down your server. > > From my understanding you'd have to get the user to click on the tinyurl > > How the attack must go to benefit the attacker. One way is to give people > (with vulnerable browsers) to click the link and see endless loop - it'll not > give enough overload on target server, since people will quickly close the > browser's tab/window. Another one is to give that link to crazy bots (like > from search engines), who has no limits on redirects - it'll endlessly > connect to target site/sites and overload them. You said it – you'd need "crazy bots" for that. crazy bots with an absurd amount of bandwidth (since they're probably not just indexing your site). I think you'll have a hard time finding those – as far as I know, it's standard practice to put at least one second of delay between two requests, and that rate shouldn't be harmful at all. > Even better way is to put iframe which leads to such redirector at some sites > (the more the better) - it can be ad network with such "fun banner" or hacked > web sites with added iframe or via persistent XSS hole. While people will be > at such sites the browser in background will be infinitely sending requests > to target site/sites (in case of WP redirectors it will be two sites for the > first attack with using of tinyurl.com and one site in case of the second > attack, which works in all WordPress, including WP 3.5.2). The more time > people spend on particular page with injected iframe with endless redirect > and the more people are visiting such sites, the more effect will be. No need > to ask people to "participate in DoS attack", their browser will be > automatically "participating" via Looped DoS attack (just by entering in any > way this endless loop). Yeah, that could happen... but why only do one request at a time? Just use a javascript that reloads 100 images with src=<targetsite> at a time, and you have your attack completely without using any vulns (and some scriptkiddies actually did that, see <http://loic.webs.com/>). Tip: If you can do something without using a vuln or so, having a vuln for it is worthless.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/