[Full-Disclosure] Web Application DoS

From: kcope (kingcope_at_gmx.net)
Date: 11/30/04

To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
Date: Tue, 30 Nov 2004 20:59:14 +0100 (MET)

| Web Application Denial of Service |
There is a denial of service condition not in a specific software product
but in several web based applications.
The idea is to make a rather small HTTP request and get a big amount of
data back from the HTTP daemon.
The HTTP protocol for a client could be as simple as a normal one line GET
request for a specific web site on the server.
Now letīs take the example of a search engine on a web site.
Most times one will be able to search for just an ``A`` and get back a
big result set of the data searched inside the information database.
Of course the result set will be limited in good search applications.
But if it is possible to manipulate the amount of results to a very high
value and there is much information stored in the database the result
set is very big and therefore the answer from the http daemon will also
seem endless if no timeout is set.
If one finds a way to manipulate this GET or POST request and automates the
process through a very simple script which just loops over and over
making this request the http daemon will not be able to handle its own
data. The result is that the website is not reachable anymore because the
is busy sending back nonsense data to the client (which will not wait for
any but
only makes small requests). I guess this works regardless of the underlying
software running on the website, even powerful Sun Applications seem to be
It should be mentioned that it has not to be a search application. Other
server side scripts
may be manipulated also to give the same effect. The only thing needed is
that after
a small request the http server is convinced to answer with an endless
stream of bytes.
No ultra fast connection is needed to make a rather big server with large
connection bandwidth unavailable.
No throughout test was done so this could be a false positive.
But by testing even ``important`` business sites didn`t like this type of

kcope 2k4

Geschenkt: 3 Monate GMX ProMail + 3 Top-Spielfilme auf DVD
++ Jetzt kostenlos testen http://www.gmx.net/de/go/mail ++
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Relevant Pages

  • RE: [Full-Disclosure] Web Application DoS
    ... request for a specific web site on the server. ... set is very big and therefore the answer from the http daemon will also ... If one finds a way to manipulate this GET or POST request and automates the ...
  • Re: Two Advanced Ruby Performance Questions
    ... create instances in the page request scope? ... I want to know if this is possible in Ruby. ... You can easily pre load all classes at server start time inastead of per request once you are ready for production environment. ... But this is only good for when you are developing your applications. ...
  • Re: Lots of SPOOLSS network traffic
    ... When the users leave for the day, do they exit the applications they have ... I've got a Small Biz Server 2003 with 5 clients. ... and SPOOLSS ClosePrinter request, OpenPrinterEx ...
  • Re: Http server - Header problem
    ... Just read once and go or check received data ... there is no warranty that one read will bring you whole request. ... > I need to have a simple http server in one of my applications. ... > applications, all of them just calls socket.read method for 1-4kb data. ...
  • Re: start ASP net from very scratch
    ... applications do not run inside of browsers. ... Browser sends a request to the server ... IIS is running on the Web server and it receives the ... ASP.NET ultimately returns plain old HTML back to the browser. ...