[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Denial of Service in WordPress

To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Denial of Service in WordPress
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Thu, 27 Jun 2013 23:19:28 -0700

> Attack exactly overload web sites presented in endless loop of redirects. As
> I showed in all cases of Looped DoS vulnerabilities in web sites and web
> applications, which I wrote about during 2008 (when I created this type of
> attacks) - 2013.

You do realize that any browser can be made to issue a *lot* of
requests to any other destination on the web - say, by instantiating a
bunch of images, leveraging CORS, navigating iframes, etc?

Browsers detect redirect loops to prevent accidental mishaps and
simplify troubleshooting, not to stop malicious attacks.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Denial of Service in WordPress
  - From: MustLive

References:
- [Full-disclosure] Denial of Service in WordPress
  - From: MustLive
- Re: [Full-disclosure] Denial of Service in WordPress
  - From: Ryan Dewhurst
- Re: [Full-disclosure] Denial of Service in WordPress
  - From: MustLive

Prev by Date: Re: [Full-disclosure] Denial of Service in WordPress
Next by Date: [Full-disclosure] [ MDVSA-2013:186 ] puppet
Previous by thread: Re: [Full-disclosure] Denial of Service in WordPress
Next by thread: Re: [Full-disclosure] Denial of Service in WordPress
Index(es):
- Date
- Thread