[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Denial of Service in WordPress
- To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Denial of Service in WordPress
- From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
- Date: Sat, 29 Jun 2013 11:03:45 -0700
> I.e. this is 21 times / infinite times more effective for attack.
Not really, in terms of the bandwidth you can use up / the number of
requests you can create. You're essentially trading this:
for (var i = 0; i < whatever; i++) {
var x = new XMLHttpRequest(); /* or new Image() or whatever */
...
}
...for this:
for (var i = 0; i < whatever / redirect_limit; i++) {
for (var j = 0; j < redirect_limit; j++) { /* implicit loop */
...
}
}
...and it shouldn't matter.
You can generate a ton of expensive traffic from within JS these days.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/