-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added Excessive Resource Consumption
- Loading branch information
Showing
3 changed files
with
45 additions
and
0 deletions.
There are no files selected for viewing
7 changes: 7 additions & 0 deletions
7
...lication_level_denial_of_service_dos/excessive_resource_consumption/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. | ||
|
|
||
| For a Denial of Service (DoS), please include a simple URL or HTTP payload that can be executed to easily demonstrate and reproduce the issue. | ||
|
|
||
| Attempt to escalate the DoS vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...n_level_denial_of_service_dos/excessive_resource_consumption/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| It is recommended to perform input validation to limit the total request size, and file upload and extension sizes. and, It’s also important to prevent any user input based function or threading interaction. These preventative measures help against application-level DoS attacks. | ||
|
|
||
| For more information, refer to the following resources: | ||
|
|
||
| - <https://www.bugcrowd.com/glossary/application-level-denial-of-service-dos/> | ||
| - <https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html> |
30 changes: 30 additions & 0 deletions
30
...lication_level_denial_of_service_dos/excessive_resource_consumption/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Excessive Resource Consumption | ||
|
|
||
| ## Overview of the Vulnerability | ||
|
|
||
| Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. | ||
|
|
||
| There is an application-level DoS vulnerability within this application that an attacker can use to exhaust resources, making the application unavailable for its designed purpose to legitimate users. | ||
|
|
||
| ## Business Impact | ||
|
|
||
| Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. | ||
|
|
||
| ## Steps to Reproduce | ||
|
|
||
| 1. Navigate to {{url}} | ||
| 1. Use the following payload: | ||
|
|
||
| {{payload}} | ||
|
|
||
| 1. In the URL, insert the payload into the following parameter: | ||
|
|
||
| {{parameter}} | ||
|
|
||
| 1. Observe that the payload causes a DoS condition | ||
|
|
||
| ## Proof of Concept (PoC) | ||
|
|
||
| The screenshot below demonstrates the vulnerability: | ||
|
|
||
| {{screenshot}} |