How to perform the DDoS Testing of Web Applications Peerlyst November 02, 2017 Nasrumminallah Zeeshan (zeeshan@nzwriter.com)
A Denial of Service (DoS) attack is consisted of carrying out traffic flooding against a specific target system. The target system is affected by sending multiple requests at a time, intended to cross the potential limit of the target application and make the system useless for the valid users. The attack is carried out by mapping out the target system first. Once the system entry points are identified, the attack is carried out by sending a large number of malicious requests at a time. This article lists down steps to test your web application for DoS attack. We will focus on testing methodology, and security precautions at the end. The following factors are involved in carrying out DoS testing against web applications. 1. SQL Wildcard attacks cause the underline database to carry out extensive functionality, causing the system use extra resources. Attackers use SQL wildcard attacks to consume the database resources and put the system incapable of processing database requests came from valid users. How to test for wildcard vulnerability? A standard search function is used to retrieve data from the database, taking less than a second for a database containing 1-100000 records. If a database consumes more than 5 seconds for the wildcards as the query, the database is vulnerable to SQL wildcard attacks. In simple words, if a database results take longer than usual, the system is vulnerable to SQL wildcard attacks. You can test for the SQL wildcards manually, or use a Fuzzer to automate the process. 2. DoS Buffer Overflows testing is performed to check the data structure overflows to execute a DoS attack. Buffer overflows take advantage of memory locations in control of the developers and checks whether arbitrary commands are executable to perform DoS attacks against the system. How to test for Buffer overflow vulnerability? In web applications, testing for format string flaws can put the system down by carrying out multiple submissions with the format string characters. In this case, attackers can find application URLs taking user inputs, or passing %n in
one of the form fields can put the system incapable of working correctly. If the output result comes up with showing stack data being printed out to the browser, the target application confirms the existence of Buffer overflows vulnerability. 3. User inputs as a loop counter can contribute to performing a DoS attack against a web application. In this case, we check if an application can be used to execute specific code segment multiple times, to consume system resources on a higher level. In this way, if a user can assign a value used as a counter in a loop function, can cause the target application s poor performance. How to test for inputs as a loop counter? Find out URLs or hidden entry points taking the user inputs. If an entry point takes a value of 10 is checked by entering 1000, there must be two conditions of the target application. The system should return the results with an error message, or process the user input. If the target application takes time while processing the user input 1000, it could confirm the existing of numeric value as a counter in the target application. This security loophole can eventually cause an attacker use large values to carry out DoS attacks on a target application. 4. The storage of large session data can put a target system under DoS attack. It could help an attacker to exhaust the server s memory resources. To help developers prevent this weakness, session objects should not store a large amount of data. Similarly, if the application handles storing session data from unauthorized users, attackers can easily carry out DoS attacks without having a privileged user account on the system. How to test for the session storage vulnerability? If a target application retrieves a significant amount of data from the database, it could cause an attacker test for the session storage security flaw. By keeping an eye on the request data under privileged access, session data can be altered to test for the said weakness. In this case, the attacker can use a script to automate the creation of sessions. After creating multiple sessions, the
application response and processing measures can put the system vulnerable to carry out a DoS attack. 5. Finding out slow-performing pages, and carrying out GET and POST HTTP request flooding on them can cause a system fall short of preventing a DoS attack. In this case, an attacker can utilize large SQL queries to retrieve data from the database. When the results are returned on a page to the user, the SQL commands can trick the application more extensively, causing slow performance pages act as resource killing entities for the system. How to carry out DoS with slow-performing pages? Find out pages taking user inputs to retrieve the database contents. If the application accepts user queries used to draw a large amount of data from the database, and show the data back to the user; attackers can automate sending crafted SQL commands in GET or POST submissions to carry out a DoS attack against the target application. 6. Using login pages to carry out DoS attacks can easily pose security weaknesses. The attackers use login pages, upload forms or form fields to submit crafted data to the application. In this case, if the system s performance is affected by data being submitted on a large scale, the target application can confirm the existence of carrying out DoS attack with pages containing login fields, file upload or form fields. How to carry out DoS attacks with login pages, file uploads and form fields? Map out the target application, and find out pages containing login pages, forms, and file upload instances. Once the target entry factors are identified, attackers can use brute force attacking tools to perform a DoS attack on login pages. In the same manner, attackers can trick the target application s upload instance if the application renames or edits the file names of the uploaded user files. Similarly, applications can pose security loopholes for DoS attacks if they use the form field inputs in the URLs.
7. Attackers can exploit application s ability to create random numbers or tokens. If an application generates random quantities on the bases of numerical values supplied by a user, the application can be tested for DoS attacks by providing multiple values for the said purpose. In this case, system resources are consumed more extensively, causing application s incapability to serve the valid users. How to test for the DoS attack with random quantity generation? Identify URLs which take digital user inputs, and analyze the processing routine of the target system after submitting the input. Find out factors being affected by user inputs. Once the data in hand, you can use a Fuzzing tool to submit multiple user inputs and modify the target factors handled by user-supplied inputs. If the application takes longer than usual, or the output page is shown with unexpected data being returned, the target application is subjected to the DoS attacks. 8. Consider the target application s web hosting features and carry out the testing process for the DoS attacks. If the target application is supposed or configured to serve 1000 requests per day, you can automate sending requests to cross the limit. In this case, you can pass the quota bandwidth for the target application, and put it falling short of preventing the DoS attacks. How to footprint and carry out testing process on the target application? Find out WHOIS data by using web tools such as Whois. You can use the Whois information to carry out social engineering against the owner of the target application. In the same manner, the Whois data will expose the target application s web hosting and name servers. By taking on this information, you can check the hosting packages and features of the hosting company, which will help you craft appropriate attack vectors for the target application.
How to prevent DoS attacks against web applications? In addition to finding out if your target application is vulnerable to DoS attacks, the following factors will help you focus on the sensitive areas, and prevent DoS attacks against your web application. Focus on your application resources handled by web hosting company Limit the resource allocation to various users Focus on limiting disc space quota for authenticated users Configure your application to manage one request at a time. If the same user sends multiple requests at a time, you can drop the first request to serve the new ones correctly. Don t let unauthenticated users access the database or sensitive resources Instead of generating new processes for the users, focus on carrying out caching algorithms for the recurring user requests. Monitor access logs and prevent DoS attacks by limiting access to vulnerable resources, such as login pages, forms, and file upload forms. Final thoughts Application s entry points such as URLs taking the user inputs and GET/POST variables and form fields, contribute to carrying out DoS attacks against a target application. DoS attacks are carried out by manual and automated testing techniques including fuzzer tools. In order to prevent such attacks, the application s entry points such as URLs taking values, form fields and file upload pages need security precautions. To have a hold on security precautions, ensure testing your system on a daily, weekly and monthly basis. It will help you monitor your application properly, and make you able to carry out security management with system history records.