This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Denial of Service"

From OWASP
Jump to: navigation, search
 
(20 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
+
{{Template:OWASP Testing Guide v3}}
{{Template:OWASP Testing Guide v2}}
 
  
==Introduction==
+
''' 4.9 Denial of Service Testing '''
 +
----
  
The most common type of denial of service (DoS) attack is the kind used on a network to make a server unreachable by other valid users. The fundamental concept of a network DoS attack is a malicious user flooding enough traffic to a target machine, that it renders the target incapable of keeping up with the volume of requests it is receiving. When the malicious user uses a large number of machines to flood traffic to a single target machine, this is generally known as a distributed denial of service (DDoS) attack. These types of attacks are generally beyond the scope of what an application developer can prevent within their own code. This type of “battle of the network pipes” is best mitigated via network architecture solutions.
+
A denial of service (DoS) attack is an attempt to make a resource unavailable to its legitimate users.
 +
Traditionally, denial of service (DoS) attacks have been network based: a malicious user floods a target machine with enough traffic to make it incapable of servicing its intended users. When the attack is launched by leveraging a large number of machines, the attack is typically called a distributed denial of service (DDoS) attack. In general, network DoS attacks are beyond the scope of what application developers can prevent within their own code. This type of “battle of the network pipes” is best mitigated via network architecture solutions.
  
There are, however, types of vulnerabilities within applications that can allow a malicious user to make certain functionality or sometimes the entire website unavailable. These problems are caused by bugs in the application, often resulting from malicious or unexpected user input.  This section will focus on application layer attacks against availability that can be launched by just one malicious user on a single machine.
+
There are, however, types of vulnerabilities at the application level that can allow a malicious user to make certain functionality or, sometimes, the entire website unavailable. These problems are caused by bugs in the application and often are triggered by malicious or unexpected user input.  This section will focus on application layer attacks against availability that can be launched by just one malicious user on a single machine.
  
Here are the DoS testings we will talk about:
+
Here are the DoS tests we will talk about:
   
+
 
#[[DoS Testing: Locking Customer Accounts]]
+
#[[Testing for SQL Wildcard Attacks (OWASP-DS-001)]]
#[[DoS Testing: Buffer Overflows]]
+
#[[Testing for DoS Locking Customer Accounts (OWASP-DS-002)]]
#[[DoS Testing: User Specified Object Allocation]]
+
#[[Testing for DoS Buffer Overflows (OWASP-DS-003)]]
#[[DoS Testing: User Input as a Loop Counter]]
+
#[[Testing for DoS User Specified Object Allocation (OWASP-DS-004)]]
#[[DoS Testing: Writing User Provided Data to Disk]]
+
#[[Testing for User Input as a Loop Counter (OWASP-DS-005)]]
#[[DoS Testing: Failure to Release Resources]]
+
#[[Testing for Writing User Provided Data to Disk (OWASP-DS-006)]]
#[[DoS Testing: Storing too Much Data in Session]]
+
#[[Testing for DoS Failure to Release Resources (OWASP-DS-007)]]
 +
#[[Testing for Storing too Much Data in Session (OWASP-DS-008)]]
  
  
 
==References==
 
==References==
  
Stephen de Vries, Application denial of service (DoS) attacks: http://www.corsaire.com/white-papers/040405-application-level-dos-attacks.pdf
+
Stephen de Vries, Application denial of service (DoS) attacks: http://www.infosecwriters.com/text_resources/pdf/application_level_DoS_attacks.pdf<br>
 +
HTTP Get and HTTP Post attacks: http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
  
{{Category:OWASP Testing Project AoC}}
+
<br>
 
[[Category:Denial of Service Attack]]
 
[[Category:Denial of Service Attack]]

Latest revision as of 16:51, 17 February 2013

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

4.9 Denial of Service Testing


A denial of service (DoS) attack is an attempt to make a resource unavailable to its legitimate users. Traditionally, denial of service (DoS) attacks have been network based: a malicious user floods a target machine with enough traffic to make it incapable of servicing its intended users. When the attack is launched by leveraging a large number of machines, the attack is typically called a distributed denial of service (DDoS) attack. In general, network DoS attacks are beyond the scope of what application developers can prevent within their own code. This type of “battle of the network pipes” is best mitigated via network architecture solutions.

There are, however, types of vulnerabilities at the application level that can allow a malicious user to make certain functionality or, sometimes, the entire website unavailable. These problems are caused by bugs in the application and often are triggered by malicious or unexpected user input. This section will focus on application layer attacks against availability that can be launched by just one malicious user on a single machine.

Here are the DoS tests we will talk about:

  1. Testing for SQL Wildcard Attacks (OWASP-DS-001)
  2. Testing for DoS Locking Customer Accounts (OWASP-DS-002)
  3. Testing for DoS Buffer Overflows (OWASP-DS-003)
  4. Testing for DoS User Specified Object Allocation (OWASP-DS-004)
  5. Testing for User Input as a Loop Counter (OWASP-DS-005)
  6. Testing for Writing User Provided Data to Disk (OWASP-DS-006)
  7. Testing for DoS Failure to Release Resources (OWASP-DS-007)
  8. Testing for Storing too Much Data in Session (OWASP-DS-008)


References

Stephen de Vries, Application denial of service (DoS) attacks: http://www.infosecwriters.com/text_resources/pdf/application_level_DoS_attacks.pdf
HTTP Get and HTTP Post attacks: http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool