Testing for Denial of Service
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
4.9 Denial of Service Testing
A denial of service (DoS) attack is an attempt to make a resource unavailable to its legitimate users. Traditionally, denial of service (DoS) attacks have been network based: a malicious user floods a target machine with enough traffic to make it incapable of servicing its intended users. When the attack is launched by leveraging a large number of machines, the attack is typically called a distributed denial of service (DDoS) attack. In general, network DoS attacks are beyond the scope of what application developers can prevent within their own code. This type of “battle of the network pipes” is best mitigated via network architecture solutions.
There are, however, types of vulnerabilities at the application level that can allow a malicious user to make certain functionality or, sometimes, the entire website unavailable. These problems are caused by bugs in the application and often are triggered by malicious or unexpected user input. This section will focus on application layer attacks against availability that can be launched by just one malicious user on a single machine.
Here are the DoS tests we will talk about:
- DoS Testing: Locking Customer Accounts
- DoS Testing: Buffer Overflows
- DoS Testing: User Specified Object Allocation
- DoS Testing: User Input as a Loop Counter
- DoS Testing: Writing User Provided Data to Disk
- DoS Testing: Failure to Release Resources
- DoS Testing: Storing too Much Data in Session
Stephen de Vries, Application denial of service (DoS) attacks: http://www.corsaire.com/white-papers/040405-application-level-dos-attacks.pdf