Denial of Service - OWASP
description
Transcript of Denial of Service - OWASP
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 1/4
DenialofServiceFromOWASP
ThisisanAttack.Toviewallattacks,pleaseseetheAttackCategorypage.
Lastrevision(mm/dd/yy):02/3/2015
Description
TheDenialofService(DoS)attackisfocusedonmakingaresource(site,application,server)unavailableforthepurposeitwasdesigned.Therearemanywaystomakeaserviceunavailableforlegitimateusersbymanipulatingnetworkpackets,programming,logical,orresourceshandlingvulnerabilities,amongothers.Ifaservicereceivesaverylargenumberofrequests,itmayceasetobeavailabletolegitimateusers.Inthesameway,aservicemaystopifaprogrammingvulnerabilityisexploited,orthewaytheservicehandlesresourcesituses.
SometimestheattackercaninjectandexecutearbitrarycodewhileperformingaDoSattackinordertoaccesscriticalinformationorexecutecommandsontheserver.Denialofserviceattackssignificantlydegradetheservicequalityexperiencedbylegitimateusers.Theseattacksintroducelargeresponsedelays,excessivelosses,andserviceinterruptions,resultingindirectimpactonavailability.
RiskFactors
Riskfactorscanbreakdownintomultiplecategories.Twoprinciplesourcesofriskincludeinadequateresourcesandnontechnicalthreatmotivators.
Thefirstexampleofariskfactor,inadequateresources,requiresattentionifsystemarchitecturewasnotdesignedtomeettrafficdemandoverflows.ThisriskreducesthedifficultyofsuccessfullyexecutingaDoSattackandcan,leftunchecked,resultinDoSsymptomsabsentanactualattack.
Thesecondexampleandperhapsthelargestriskfactorisnottechnicalandisinthedomainofpublicrelationsorstrategiccommunications.AnorganizationshouldavoidtakingactionthatcanmakethematargetofaDoSattackunlessthebenefitsofdoingsooutweighthepotentialcostsormitigatingcontrolsareinplace.
Otherriskfactorsmayalsoexistdependingonthespecificenvironment.
Examples
ThefollowingDoStechniquesandexampleswereextractedfromOWASPTestingGuidev2.
DoSUserSpecifiedObjectAllocation
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 2/4
Ifuserscansupply,directlyorindirectly,avaluethatwillspecifyhowmanyofanobjecttocreateontheapplicationserver,andiftheserverdoesnotenforceahardupperlimitonthatvalue,itispossibletocausetheenvironmenttorunoutofavailablememory.Theservermaybegintoallocatetherequirednumberofobjectsspecified,butifthisisanextremelylargenumber,itcancauseseriousissuesontheserver,possiblyfillingitswholeavailablememoryandcorruptingitsperformance.
ThefollowingisasimpleexampleofvulnerablecodeinJava:
StringTotalObjects=request.getParameter(numberofobjects);intNumOfObjects=Integer.parseInt(TotalObjects);ComplexObject[]anArray=newComplexObject[NumOfObjects];//wrong!
DoSUserInputasaLoopCounter
SimilartothepreviousproblemofUserSpecifiedObjectAllocation,iftheusercandirectlyorindirectlyassignavaluethatwillbeusedasacounterinaloopfunction,thiscancauseperformanceproblemsontheserver.
ThefollowingisanexampleofvulnerablecodeinJava:
publicclassMyServletextendsActionServlet{publicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{...String[]values=request.getParameterValues("CheckboxField");//Processthedatawithoutlengthcheckforreasonablerangewrong!for(inti=0;i
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 3/4
ThefollowingisanexampleofvulnerablecodeinJava.Intheexample,boththeConnectionandtheCallableStatementshouldbeclosedinafinallyblock.
publicclassAccountDAO{publicvoidcreateAccount(AccountInfoacct)throwsAcctCreationException{try{Connectionconn=DAOFactory.getConnection();CallableStatementcalStmt=conn.prepareCall();calStmt.executeUpdate();calStmt.close();conn.close();}catch(java.sql.SQLExceptione){throwAcctCreationException(...);}}}
DoSBufferOverflows
Anylanguagewherethedeveloperhasdirectresponsibilityformanagingmemoryallocation,mostnotablyC&C++,hasthepotentialforaBufferOverflow.Whilethemostseriousriskrelatedtoabufferoverflowistheabilitytoexecutearbitrarycodeontheserver,thefirstriskcomesfromthedenialofservicethatcanhappeniftheapplicationcrashes.
ThefollowingisasimplifiedexampleofvulnerablecodeinC:
voidoverflow(char*str){charbuffer[10];strcpy(buffer,str);//Dangerous!}
intmain(){char*str="Thisisastringthatislargerthanthebufferof10";overflow(str);}
Ifthiscodeexamplewereexecuted,itwouldcauseasegmentationfaultanddumpcore.Thereasonisthatstrcpywouldtrytocopy53charactersintoanarrayof10elementsonly,overwritingadjacentmemorylocations.Whilethisexampleaboveisanextremelysimplecase,therealityisthatinawebbasedapplicationtheremaybeplaceswheretheuserinputisnotadequatelycheckedforitslength,makingthiskindofattackpossible.
DoSStoringtooMuchDatainSession
Caremustbetakennottostoretoomuchdatainausersessionobject.Storingtoomuchinformationinthesession,suchaslargequantitiesofdataretrievedfromthedatabase,cancausedenialofserviceissues.Thisproblemisexacerbatedifsessiondataisalsotrackedpriortoalogin,asausercanlaunchtheattackwithouttheneedofanaccount.
DoSLockingCustomerAccounts
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 4/4
ThefirstDoScasetoconsiderinvolvestheauthenticationsystemofthetargetapplication.Acommondefensetopreventbruteforcediscoveryofuserpasswordsistolockanaccountfromuseafterbetweenthreetofivefailedattemptstologin.Thismeansthatevenifalegitimateuserweretoprovidetheirvalidpassword,theywouldbeunabletologintothesystemuntiltheiraccounthasbeenunlocked.ThisdefensemechanismcanbeturnedintoaDoSattackagainstanapplicationifthereisawaytopredictvalidloginaccounts.
Note,thereisabusinessvs.securitybalancethatmustbereachedbasedonthespecificcircumstancessurroundingagivenapplication.Thereareprosandconstolockingaccounts,tocustomersbeingabletochoosetheirownaccountnames,tousingsystemssuchasCAPTCHA,andthelike.Eachenterprisewillneedtobalancetheserisksandbenefits,butnotallofthedetailsofthosedecisionsarecoveredhere.
RelatedThreatAgents
Category:LogicalAttacks
RelatedAttacks
ResourceInjectionSettingManipulationRegularexpressionDenialofServiceReDoSCashOverflow
RelatedVulnerabilitiesCategory:InputValidationVulnerabilityCategory:APIAbuse
RelatedControls
BlockingBruteForceAttacksMemoryManagement
References
http://capec.mitre.org/data/index.htmlDenialofServicethroughResourceDepletion
Retrievedfrom"https://www.owasp.org/index.php?title=Denial_of_Service&oldid=188944"Categories: OWASPASDRProject FIXME Spoofing ProbabilisticTechniquesResourceDepletion Attack
Thispagewaslastmodifiedon3February2015,at00:42.Thispagehasbeenaccessed55,910times.ContentisavailableunderaCreativeCommons3.0Licenseunlessotherwisenoted.