Full Disclosure mailing list archives
Re: Denial of Service in WordPress
From: Jann Horn <jann () thejh net>
Date: Fri, 28 Jun 2013 07:56:52 +0200
On Thu, Jun 27, 2013 at 11:50:47PM +0300, MustLive wrote:
This just affects the client though right?This DoS only going on client side unlike other types of DoS (see my classification), but issue of web application is in allowing Looped DoS state. You see error message very quickly because you are leaving in 2013 (where already many browsers protect against simple form of Looped DoS) and using secure browser - use a browser without this protection (like IE) and have fun.
Sooo... a bunch of browsers doing one request at a time (instead of doing a real attack) and which slow down if your server becomes unresponsive is a threat? Seriously, that might become a few hundred requests per second or so if a largeish amount of clients participates, but that shouldn't be able to bring down your server.
From my understanding you'd have to get the user to click on the tinyurlHow the attack must go to benefit the attacker. One way is to give people (with vulnerable browsers) to click the link and see endless loop - it'll not give enough overload on target server, since people will quickly close the browser's tab/window. Another one is to give that link to crazy bots (like from search engines), who has no limits on redirects - it'll endlessly connect to target site/sites and overload them.
You said it – you'd need "crazy bots" for that. crazy bots with an absurd amount of bandwidth (since they're probably not just indexing your site). I think you'll have a hard time finding those – as far as I know, it's standard practice to put at least one second of delay between two requests, and that rate shouldn't be harmful at all.
Even better way is to put iframe which leads to such redirector at some sites (the more the better) - it can be ad network with such "fun banner" or hacked web sites with added iframe or via persistent XSS hole. While people will be at such sites the browser in background will be infinitely sending requests to target site/sites (in case of WP redirectors it will be two sites for the first attack with using of tinyurl.com and one site in case of the second attack, which works in all WordPress, including WP 3.5.2). The more time people spend on particular page with injected iframe with endless redirect and the more people are visiting such sites, the more effect will be. No need to ask people to "participate in DoS attack", their browser will be automatically "participating" via Looped DoS attack (just by entering in any way this endless loop).
Yeah, that could happen... but why only do one request at a time? Just use a javascript that reloads 100 images with src=<targetsite> at a time, and you have your attack completely without using any vulns (and some scriptkiddies actually did that, see <http://loic.webs.com/>). Tip: If you can do something without using a vuln or so, having a vuln for it is worthless.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 28)
- Re: Denial of Service in WordPress Jann Horn (Jun 28)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 29)
- Re: Denial of Service in WordPress Cool Hand Luke (Jun 30)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress Jann Horn (Jun 27)
- Re: Denial of Service in WordPress Michal Zalewski (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 29)
- Re: Denial of Service in WordPress Michal Zalewski (Jun 29)