| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <008101ce74ef$ec562f40$9b7a6fd5@pc> Date: Sat, 29 Jun 2013 20:40:22 +0300 From: "MustLive" <mustlive@...security.com.ua> To: "Michal Zalewski" <lcamtuf@...edump.cx> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Denial of Service in WordPress Hello Michal! Yes, of course there are a lot of ways to make cross-site requests. But what is a benefit in using Looped DoS - do you see it? Looks like don't. I'll explain for you. One standard request (via img and other tags in HTML, etc.) leads to single request to target site. One request with using of Looped DoS hole (such hole by itself or artificially created from looping two redirectors) leads to 21 requests - in case of using redirector/redirectors with server headers (after 21st request modern browsers will stop it). And in case if there will be old IE or "unlimited bot" or there will be used my bypass techniques (using JS or meta-refresh at least in one from two redirectors) to bypass browsers restriction - one request leads to infinite number of requests. I.e. this is 21 times / infinite times more effective for attack. And besides using of link, frame or iframe to lead to Looped DoS, it's also possible to use other standard methods for making request. Such as img or other tags (in this case only server headers redirectors must be used). Which creates 21 (for modern browsers) or infinite number of requests (for old IE) from one image. Put a lot of images on forums and other sites, which allow img tag (via html or bbcode) to Looped DoS and there will be a lot of requests from single visitor of that page. > Browsers detect redirect loops to prevent accidental mishaps and > simplify troubleshooting, not to stop malicious attacks. Yes, you are right. But exactly this functionality to stop redirect loops (in all modern browsers) can help mitigate such attacks. Just not all techniques of this attack. Also remember that your company's browser Chrome (and some other vendors too) was trying to prevent looped redirect with using JS, but not good enough - as I showed in my Refresh DoS attack in 2008 in my project Day of bugs in browsers. So browsers vendors need to improve their redirect loops protection. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Michal Zalewski" <lcamtuf@...edump.cx> To: "MustLive" <mustlive@...security.com.ua> Cc: "Ryan Dewhurst" <ryandewhurst@...il.com>; "full-disclosure" <full-disclosure@...ts.grok.org.uk> Sent: Friday, June 28, 2013 9:19 AM Subject: Re: [Full-disclosure] Denial of Service in WordPress >> Attack exactly overload web sites presented in endless loop of redirects. >> As >> I showed in all cases of Looped DoS vulnerabilities in web sites and web >> applications, which I wrote about during 2008 (when I created this type >> of >> attacks) - 2013. > > You do realize that any browser can be made to issue a *lot* of > requests to any other destination on the web - say, by instantiating a > bunch of images, leveraging CORS, navigating iframes, etc? > > Browsers detect redirect loops to prevent accidental mishaps and > simplify troubleshooting, not to stop malicious attacks. > > /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists