Re: Denial of Service in WordPress

[Jann Horn <jann () thejh net>]

On Thu, Jun 27, 2013 at 11:50:47PM +0300, MustLive wrote:
> > This just affects the client though right? 
>
> This DoS only going on client side unlike other types of DoS (see my classification), but issue of web application is 
> in allowing Looped DoS state. You see error message very quickly because you are leaving in 2013 (where already many 
> browsers protect against simple form of Looped DoS) and using secure browser - use a browser without this protection 
> (like IE) and have fun.

Sooo... a bunch of browsers doing one request at a time (instead of doing a real attack) and which slow down if your 
server becomes unresponsive is a threat? Seriously, that might become a few hundred requests per second or so if a 
largeish amount of clients participates, but that shouldn't be able to bring down your server.

> > From my understanding you'd have to get the user to click on the tinyurl
>
> How the attack must go to benefit the attacker. One way is to give people (with vulnerable browsers) to click the 
> link and see endless loop - it'll not give enough overload on target server, since people will quickly close the 
> browser's tab/window. Another one is to give that link to crazy bots (like from search engines), who has no limits on 
> redirects - it'll endlessly connect to target site/sites and overload them.

You said it – you'd need "crazy bots" for that. crazy bots with an absurd amount of bandwidth (since they're probably 
not just indexing your site). I think you'll have a hard time finding those – as far as I know, it's standard practice 
to put at least one second of delay between two requests, and that rate shouldn't be harmful at all.

> Even better way is to put iframe which leads to such redirector at some sites (the more the better) - it can be ad 
> network with such "fun banner" or hacked web sites with added iframe or via persistent XSS hole. While people will be 
> at such sites the browser in background will be infinitely sending requests to target site/sites (in case of WP 
> redirectors it will be two sites for the first attack with using of tinyurl.com and one site in case of the second 
> attack, which works in all WordPress, including WP 3.5.2). The more time people spend on particular page with 
> injected iframe with endless redirect and the more people are visiting such sites, the more effect will be. No need 
> to ask people to "participate in DoS attack", their browser will be automatically "participating" via Looped DoS 
> attack (just by entering in any way this endless loop).

Yeah, that could happen... but why only do one request at a time? Just use a javascript that reloads 100 images with 
src=<targetsite> at a time, and you have your attack completely without using any vulns (and some scriptkiddies 
actually did that, see <http://loic.webs.com/>). Tip: If you can do something without using a vuln or so, having a vuln 
for it is worthless.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/