How to perform the DDoS Testing of Web Applications

Similar documents
Copyright

Application vulnerabilities and defences

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

INNOV-09 How to Keep Hackers Out of your Web Application

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

EasyCrypt passes an independent security audit

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Web Security. Outline

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Robust Defenses for Cross-Site Request Forgery Review

A (sample) computerized system for publishing the daily currency exchange rates

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

P2_L12 Web Security Page 1

COMPUTER NETWORK SECURITY

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Solutions Business Manager Web Application Security Assessment

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Check Point DDoS Protector Simple and Easy Mitigation

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

- Table of Contents -

C1: Define Security Requirements

1 About Web Security. What is application security? So what can happen? see [?]

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Pass Microsoft Exam

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Application Security. Philippe Bogaerts

AppSpider Enterprise. Getting Started Guide

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

CS 356 Operating System Security. Fall 2013

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Check Point DDoS Protector Introduction

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

Security Advisory. Network Time Protocol Vulnerabilities

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Having learned basics of computer security and data security, in this section, you will learn how to develop secure systems.

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

NET 311 INFORMATION SECURITY

Web Application Penetration Testing


CS 142 Winter Session Management. Dan Boneh

Bank Infrastructure - Video - 1

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Web Application Vulnerabilities: OWASP Top 10 Revisited

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Combating Common Web App Authentication Threats

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Internet Security [1] VU

Security Penetration Test of HIE Portal for A CUSTOMER IMPLEMENTION. Services provided to: [LOGO(s) of company providing service to]

COMP9321 Web Application Engineering

Vidder PrecisionAccess

Introduction to Ethical Hacking

WEB SECURITY: XSS & CSRF

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

BIG-IP Application Security Manager : Getting Started. Version 12.1

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Hunting Security Bugs

Curso: Ethical Hacking and Countermeasures

F5 Big-IP Application Security Manager v11

Web Security, Summer Term 2012

Application Layer Security

Penetration Testing with Kali Linux

Secure Frame Communication in Browsers Review

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

RiskSense Attack Surface Validation for Web Applications

Preparing for the Cross Site Request Forgery Defense

CS 161 Computer Security

Computer Security and Privacy

Configuring attack detection and prevention 1

Authentication Security

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

CS50 Quiz Review. November 13, 2017

GOING WHERE NO WAFS HAVE GONE BEFORE

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

CSWAE Certified Secure Web Application Engineer

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

C and C++ Secure Coding 4-day course. Syllabus

Access Controls. CISSP Guide to Security Essentials Chapter 2

ECCouncil Certified Ethical Hacker. Download Full Version :

Transcription:

How to perform the DDoS Testing of Web Applications Peerlyst November 02, 2017 Nasrumminallah Zeeshan (zeeshan@nzwriter.com)

A Denial of Service (DoS) attack is consisted of carrying out traffic flooding against a specific target system. The target system is affected by sending multiple requests at a time, intended to cross the potential limit of the target application and make the system useless for the valid users. The attack is carried out by mapping out the target system first. Once the system entry points are identified, the attack is carried out by sending a large number of malicious requests at a time. This article lists down steps to test your web application for DoS attack. We will focus on testing methodology, and security precautions at the end. The following factors are involved in carrying out DoS testing against web applications. 1. SQL Wildcard attacks cause the underline database to carry out extensive functionality, causing the system use extra resources. Attackers use SQL wildcard attacks to consume the database resources and put the system incapable of processing database requests came from valid users. How to test for wildcard vulnerability? A standard search function is used to retrieve data from the database, taking less than a second for a database containing 1-100000 records. If a database consumes more than 5 seconds for the wildcards as the query, the database is vulnerable to SQL wildcard attacks. In simple words, if a database results take longer than usual, the system is vulnerable to SQL wildcard attacks. You can test for the SQL wildcards manually, or use a Fuzzer to automate the process. 2. DoS Buffer Overflows testing is performed to check the data structure overflows to execute a DoS attack. Buffer overflows take advantage of memory locations in control of the developers and checks whether arbitrary commands are executable to perform DoS attacks against the system. How to test for Buffer overflow vulnerability? In web applications, testing for format string flaws can put the system down by carrying out multiple submissions with the format string characters. In this case, attackers can find application URLs taking user inputs, or passing %n in

one of the form fields can put the system incapable of working correctly. If the output result comes up with showing stack data being printed out to the browser, the target application confirms the existence of Buffer overflows vulnerability. 3. User inputs as a loop counter can contribute to performing a DoS attack against a web application. In this case, we check if an application can be used to execute specific code segment multiple times, to consume system resources on a higher level. In this way, if a user can assign a value used as a counter in a loop function, can cause the target application s poor performance. How to test for inputs as a loop counter? Find out URLs or hidden entry points taking the user inputs. If an entry point takes a value of 10 is checked by entering 1000, there must be two conditions of the target application. The system should return the results with an error message, or process the user input. If the target application takes time while processing the user input 1000, it could confirm the existing of numeric value as a counter in the target application. This security loophole can eventually cause an attacker use large values to carry out DoS attacks on a target application. 4. The storage of large session data can put a target system under DoS attack. It could help an attacker to exhaust the server s memory resources. To help developers prevent this weakness, session objects should not store a large amount of data. Similarly, if the application handles storing session data from unauthorized users, attackers can easily carry out DoS attacks without having a privileged user account on the system. How to test for the session storage vulnerability? If a target application retrieves a significant amount of data from the database, it could cause an attacker test for the session storage security flaw. By keeping an eye on the request data under privileged access, session data can be altered to test for the said weakness. In this case, the attacker can use a script to automate the creation of sessions. After creating multiple sessions, the

application response and processing measures can put the system vulnerable to carry out a DoS attack. 5. Finding out slow-performing pages, and carrying out GET and POST HTTP request flooding on them can cause a system fall short of preventing a DoS attack. In this case, an attacker can utilize large SQL queries to retrieve data from the database. When the results are returned on a page to the user, the SQL commands can trick the application more extensively, causing slow performance pages act as resource killing entities for the system. How to carry out DoS with slow-performing pages? Find out pages taking user inputs to retrieve the database contents. If the application accepts user queries used to draw a large amount of data from the database, and show the data back to the user; attackers can automate sending crafted SQL commands in GET or POST submissions to carry out a DoS attack against the target application. 6. Using login pages to carry out DoS attacks can easily pose security weaknesses. The attackers use login pages, upload forms or form fields to submit crafted data to the application. In this case, if the system s performance is affected by data being submitted on a large scale, the target application can confirm the existence of carrying out DoS attack with pages containing login fields, file upload or form fields. How to carry out DoS attacks with login pages, file uploads and form fields? Map out the target application, and find out pages containing login pages, forms, and file upload instances. Once the target entry factors are identified, attackers can use brute force attacking tools to perform a DoS attack on login pages. In the same manner, attackers can trick the target application s upload instance if the application renames or edits the file names of the uploaded user files. Similarly, applications can pose security loopholes for DoS attacks if they use the form field inputs in the URLs.

7. Attackers can exploit application s ability to create random numbers or tokens. If an application generates random quantities on the bases of numerical values supplied by a user, the application can be tested for DoS attacks by providing multiple values for the said purpose. In this case, system resources are consumed more extensively, causing application s incapability to serve the valid users. How to test for the DoS attack with random quantity generation? Identify URLs which take digital user inputs, and analyze the processing routine of the target system after submitting the input. Find out factors being affected by user inputs. Once the data in hand, you can use a Fuzzing tool to submit multiple user inputs and modify the target factors handled by user-supplied inputs. If the application takes longer than usual, or the output page is shown with unexpected data being returned, the target application is subjected to the DoS attacks. 8. Consider the target application s web hosting features and carry out the testing process for the DoS attacks. If the target application is supposed or configured to serve 1000 requests per day, you can automate sending requests to cross the limit. In this case, you can pass the quota bandwidth for the target application, and put it falling short of preventing the DoS attacks. How to footprint and carry out testing process on the target application? Find out WHOIS data by using web tools such as Whois. You can use the Whois information to carry out social engineering against the owner of the target application. In the same manner, the Whois data will expose the target application s web hosting and name servers. By taking on this information, you can check the hosting packages and features of the hosting company, which will help you craft appropriate attack vectors for the target application.

How to prevent DoS attacks against web applications? In addition to finding out if your target application is vulnerable to DoS attacks, the following factors will help you focus on the sensitive areas, and prevent DoS attacks against your web application. Focus on your application resources handled by web hosting company Limit the resource allocation to various users Focus on limiting disc space quota for authenticated users Configure your application to manage one request at a time. If the same user sends multiple requests at a time, you can drop the first request to serve the new ones correctly. Don t let unauthenticated users access the database or sensitive resources Instead of generating new processes for the users, focus on carrying out caching algorithms for the recurring user requests. Monitor access logs and prevent DoS attacks by limiting access to vulnerable resources, such as login pages, forms, and file upload forms. Final thoughts Application s entry points such as URLs taking the user inputs and GET/POST variables and form fields, contribute to carrying out DoS attacks against a target application. DoS attacks are carried out by manual and automated testing techniques including fuzzer tools. In order to prevent such attacks, the application s entry points such as URLs taking values, form fields and file upload pages need security precautions. To have a hold on security precautions, ensure testing your system on a daily, weekly and monthly basis. It will help you monitor your application properly, and make you able to carry out security management with system history records.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback