Full Disclosure mailing list archives
Re: Denial of Service in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 29 Jun 2013 20:40:22 +0300
Hello Michal!Yes, of course there are a lot of ways to make cross-site requests. But what is a benefit in using Looped DoS - do you see it? Looks like don't. I'll explain for you.
One standard request (via img and other tags in HTML, etc.) leads to single request to target site. One request with using of Looped DoS hole (such hole by itself or artificially created from looping two redirectors) leads to 21 requests - in case of using redirector/redirectors with server headers (after 21st request modern browsers will stop it). And in case if there will be old IE or "unlimited bot" or there will be used my bypass techniques (using JS or meta-refresh at least in one from two redirectors) to bypass browsers restriction - one request leads to infinite number of requests. I.e. this is 21 times / infinite times more effective for attack.
And besides using of link, frame or iframe to lead to Looped DoS, it's also possible to use other standard methods for making request. Such as img or other tags (in this case only server headers redirectors must be used). Which creates 21 (for modern browsers) or infinite number of requests (for old IE) from one image. Put a lot of images on forums and other sites, which allow img tag (via html or bbcode) to Looped DoS and there will be a lot of requests from single visitor of that page.
Browsers detect redirect loops to prevent accidental mishaps and simplify troubleshooting, not to stop malicious attacks.
Yes, you are right. But exactly this functionality to stop redirect loops (in all modern browsers) can help mitigate such attacks. Just not all techniques of this attack. Also remember that your company's browser Chrome (and some other vendors too) was trying to prevent looped redirect with using JS, but not good enough - as I showed in my Refresh DoS attack in 2008 in my project Day of bugs in browsers. So browsers vendors need to improve their redirect loops protection.
Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: "Michal Zalewski" <lcamtuf () coredump cx>
To: "MustLive" <mustlive () websecurity com ua>Cc: "Ryan Dewhurst" <ryandewhurst () gmail com>; "full-disclosure" <full-disclosure () lists grok org uk>
Sent: Friday, June 28, 2013 9:19 AM Subject: Re: [Full-disclosure] Denial of Service in WordPress
Attack exactly overload web sites presented in endless loop of redirects. AsI showed in all cases of Looped DoS vulnerabilities in web sites and webapplications, which I wrote about during 2008 (when I created this type ofattacks) - 2013.You do realize that any browser can be made to issue a *lot* of requests to any other destination on the web - say, by instantiating a bunch of images, leveraging CORS, navigating iframes, etc? Browsers detect redirect loops to prevent accidental mishaps and simplify troubleshooting, not to stop malicious attacks./mz
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 28)
- Re: Denial of Service in WordPress Jann Horn (Jun 28)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 29)
- Re: Denial of Service in WordPress Cool Hand Luke (Jun 30)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress Jann Horn (Jun 27)
- Re: Denial of Service in WordPress Michal Zalewski (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 29)
- Re: Denial of Service in WordPress Michal Zalewski (Jun 29)