Re: Denial of Service in WordPress

[Jann Horn <jann () thejh net>]

On Fri, Jun 28, 2013 at 08:55:57PM +0300, MustLive wrote:
> Hi Julius!
>
> Why do you think it will be very slowly? For last 5.5 years you the first said me concerning Looped DoS that requests 
> will be sending very slowly. So think about it. Because all those web sites owners and all those web developers, in 
> which web applications I've found Looped DoS vulnerabilities, after my informing fixed the holes or said that they 
> will take it into account, but never used such argument.

Yeah, I think there are two big reasons for that:

 - It may not be a vuln, but it could be a nuisance.
 - "Better safe than sorry" – if fixing it is faster than arguing, just fix it, even if it's not really an issue. it's 
faster that way.


> The requests speed will be the next (tested on http://tinyurl.com/loopeddos1):
>
> - In average 5.83 - 7 requests/s for looped redirect with 301/302 responses. I.e. it takes 3-3.6 seconds for Firefox 
> to make 21 request before blocking redirect loop (and showing error message). Situation is similar in other browsers, 
> which support blocking. Didn't examine old IE, which doesn't block infinite loops, but the speed must be the same.

Whoah, seven requests per second! That's certainly more than what happens when someone uses javascript to spam a site 
with requests!</sarcasm>


> - The faster will be working target web sites, the faster will be request rate.

In other words, your "attack" behaves like a good load testing tool and slows down when the site becomes slower.


> - It's for browsers, but there are also other clients. Especially such as bots with no redirection limits. Which can 
> work even faster.

Which other clients? I can only think of ones that would be called "bot", and I don't think any of those will crawl 
anything with a speed >1req/s or so.
If they do, it's the bot owner's fault.


> - If the looped requests will be going inside one domain, then the speed will be faster (and it'll useful for 
> attacking not only WordPress < 2.3, but also WP 2.3 - 3.5.2). And overload will not be splitting between two domains 
> (like it's showing in my two examples with tinyurl.com).

"overload"? haha.


> - Open two or more iframes with looped redirect to the same site, to multiply the speed of attack.

Oooh, now you're getting closer to the "javascript that spams a site with requests" approach! Congratulations!


> - Make sufficient amount of clients (people or bots) to unknowingly participate in the attack, such as 1000 and more 
> clients and it'll be sufficient to DoS the site on slow server.

Anonymous actually tested that approach for you, google "js loic" or so (apart from the fact that the
participants mostly had an idea of what they were doing). Yeah, it does work, but there isn't much
a site owner can do to prevent it in his webapp – however, he can blacklist the originating IPs so
that the browsers' connections all time out, thereby slowing down the attack. Also, modern Chromium
detects such a scenario and actively delays connections to a server that seems to be down.


> Note that every attack is going infinitely (at using appropriate clients or at using JS or meta-refresh to prevent 
> normal browsers from stopping endless loop), not just single request from every client.

Only if people knowingly participate. Otherwise, your browser window will eventually be closed (although
it can take some time).


> No need to think that in 2013 every web site owner has resources like Google has.

I don't believe that many people here assume that.


> There are a lot of sites on slow servers

Sure.


> and there are a lot of sites with redirectors

Sure (and that's not a problem).


> (and even real Looped DoS holes are rare, but with using of redirectors it's possible to create such one at any web 
> site with redirector).

Or, as you've already been told, just use javascript and some img tags.


Jann

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/