Re: Denial of Service in WordPress

["MustLive" <mustlive () websecurity com ua>]

Hello Michal!

Yes, of course there are a lot of ways to make cross-site requests. But what 
is a benefit in using Looped DoS - do you see it? Looks like don't. I'll 
explain for you.

One standard request (via img and other tags in HTML, etc.) leads to single 
request to target site. One request with using of Looped DoS hole (such hole 
by itself or artificially created from looping two redirectors) leads to 21 
requests - in case of using redirector/redirectors with server headers 
(after 21st request modern browsers will stop it). And in case if there will 
be old IE or "unlimited bot" or there will be used my bypass techniques 
(using JS or meta-refresh at least in one from two redirectors) to bypass 
browsers restriction - one request leads to infinite number of requests. 
I.e. this is 21 times / infinite times more effective for attack.

And besides using of link, frame or iframe to lead to Looped DoS, it's also 
possible to use other standard methods for making request. Such as img or 
other tags (in this case only server headers redirectors must be used). 
Which creates 21 (for modern browsers) or infinite number of requests (for 
old IE) from one image. Put a lot of images on forums and other sites, which 
allow img tag (via html or bbcode) to Looped DoS and there will be a lot of 
requests from single visitor of that page.

> Browsers detect redirect loops to prevent accidental mishaps and
> simplify troubleshooting, not to stop malicious attacks.

Yes, you are right. But exactly this functionality to stop redirect loops 
(in all modern browsers) can help mitigate such attacks. Just not all 
techniques of this attack. Also remember that your company's browser Chrome 
(and some other vendors too) was trying to prevent looped redirect with 
using JS, but not good enough - as I showed in my Refresh DoS attack in 2008 
in my project Day of bugs in browsers. So browsers vendors need to improve 
their redirect loops protection.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Michal Zalewski" <lcamtuf () coredump cx>
To: "MustLive" <mustlive () websecurity com ua>
Cc: "Ryan Dewhurst" <ryandewhurst () gmail com>; "full-disclosure" 
<full-disclosure () lists grok org uk>
Sent: Friday, June 28, 2013 9:19 AM
Subject: Re: [Full-disclosure] Denial of Service in WordPress


> > Attack exactly overload web sites presented in endless loop of redirects. 
> > As
> > I showed in all cases of Looped DoS vulnerabilities in web sites and web
> > applications, which I wrote about during 2008 (when I created this type 
> > of
> > attacks) - 2013.
>
> You do realize that any browser can be made to issue a *lot* of
> requests to any other destination on the web - say, by instantiating a
> bunch of images, leveraging CORS, navigating iframes, etc?
>
> Browsers detect redirect loops to prevent accidental mishaps and
> simplify troubleshooting, not to stop malicious attacks.
>
> /mz 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/