-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 06/28, Julius Kivimäki wrote:
If one wants to conduct such attacks, would it not be a million times
easier for them to use infected hosts to do thousands of requests per
second? (Per computer). Can you come up with a scenario where this attack
Message -
From: Michal Zalewski lcam...@coredump.cx
To: MustLive mustl...@websecurity.com.ua
Cc: Ryan Dewhurst ryandewhu...@gmail.com; full-disclosure
full-disclosure@lists.grok.org.uk
Sent: Friday, June 28, 2013 9:19 AM
Subject: Re: [Full-disclosure] Denial of Service in WordPress
Attack
I.e. this is 21 times / infinite times more effective for attack.
Not really, in terms of the bandwidth you can use up / the number of
requests you can create. You're essentially trading this:
for (var i = 0; i whatever; i++) {
var x = new XMLHttpRequest(); /* or new Image() or whatever */
Attack exactly overload web sites presented in endless loop of redirects. As
I showed in all cases of Looped DoS vulnerabilities in web sites and web
applications, which I wrote about during 2008 (when I created this type of
attacks) - 2013.
You do realize that any browser can be made to
...@packetstormsecurity.org ; full-disclosure ; 1337 Exploit
DataBase
Sent: Thursday, June 27, 2013 8:34 PM
Subject: Re: [Full-disclosure] Denial of Service in WordPress
This just affects the client though right? So doesn't DoS a WordPress blog,
just presents an error message to the user if they click
:* submissi...@packetstormsecurity.org ;
full-disclosurefull-disclosure@lists.grok.org.uk; 1337
Exploit DataBase mr.inj3c...@gmail.com
*Sent:* Thursday, June 27, 2013 8:34 PM
*Subject:* Re: [Full-disclosure] Denial of Service in WordPress
This just affects the client though right? So doesn't
On Thu, Jun 27, 2013 at 11:50:47PM +0300, MustLive wrote:
This just affects the client though right?
This DoS only going on client side unlike other types of DoS (see my
classification), but issue of web application is in allowing Looped DoS
state. You see error message very quickly