No announcement yet.

Denial of Service Attack on Web Applications

  • Time
  • Show
Clear All
new posts

  • Denial of Service Attack on Web Applications

    A Denial of Service (DoD) attack is an attack that aims to starve the target from all available resources. Depending of the type of attack, these resources vary a lot. Some attacks aim to abuse poor protocol implementations or designs where others aim to send small requests that will result in a high resource result from the web server. This could be pulling large images or requesting dynamic web pages that require extensive search operations on the back-end database servers. Some organizations have a full back-end system that is build to just handle the peaks of daily use and can therefore not even withstand small scale attacks.

    Some targets of these attacks are
    • Available CPU
    • Available Memory
    • Sockets, such as TCP source ports, supported half open connections etc.
    • Disk utilization or disk space
    • Database utilization
    • Worker processes

    Some Web Server DoS subtypes could include the following
    • User Registration - The attacker may craft a script that submits user registration forms repeatedly, adding a large number of spurious users. This is a sort of layer 7 or application layer attack that will require a lot of resources on the target back-end.
    • Login Attacks - The attacker will attempt to overwhelm the login process by continuously sending login requests that require the web application to call the authentication mechanism thereby using all available resources. A login attempt will often require the web server to render the web page, executing server side scripts, calculate hashes or other encryption, and calling the back end database server. This is a lot of work for the target system for what may be one single request from the attacker.
    • User Enumeration - If a web application gives information that may reveal if a given user account exists, an attacker may enumerate existing users using a word list with the purpose of later attempting to guess related passwords or do an account lock out attack.
    • Account Lock Out Attack - An attacker may attempt to authenticate to the web application with all known user accounts and an incorrect password with the aim of locking out all possible users. Most modern web applications has a build in limit of how many failed login attempts a user can have without being locked out.

    Web services are based on XML protocols such as Web Service Definition Language (WSDL) for describing the connection points; Universal Description, Discovery and Integration (UDDI) for the description and discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web services that may be vulnerable to attack.

    A web service can be divided into the following layers
    • Presentation Layer - XML, AJAX, Portal etc.
    • Security Layer - WS-Security
    • Discovery Layer - UDDI, WSDL
    • Access Layer - SOAP, REST
    • Transport Layer - HTTP, HTTPS, JMS etc.

    For the presentation and security layers the following may be issues
    • Parameter Tampering
    • WSDL Probing
    • SQL/LDAP/XPATH/OS Command Injection
    • Malware Injection
    • Brute-force
    • Data Type Mismatch
    • Content Spoofing
    • Session Tampering
    • Format String Injection
    • Information Leakage

    For the discovery layer the following may be issues
    • Fault Code Leak
    • Permission and Access Attacks
    • Error Leakage
    • Authentication and Certification Attacks

    For the access layer the following may be issues
    • Buffer Overflows
    • XML Parsing
    • Spoiling the XML Schema
    • Complex or Recursive payloads
    • DoS Attacks
    • Large Payloads

    For the transport layer the following may be issues
    • Sniffing
    • Snooping
    • WS-Routing
    • Replay Attacks
    • DoS Attacks

    Certified Security Geek