Sunday, November 15, 2015

BugBounty-Unexpected application behaviour causing self DoS attack

Hi Guys,
From now onwards I am starting real world bug hunting case studies of mine. This is the first draft of it. I was performing blackbox testing of this website.







Bug sumission: 2014-05-24 19:57:48 UTC


URL: pamedia.lastmiledemo.com/cgi-bin/default.php?appname=login

Affected parameters: username, password, login

Description: This flaw was existing on login panel. I was tampering various parameters in a hope that web application would behave unexpectedly. So I am inserting [ and ] between all parameters and their values in order to generate error message, however I came to know after submitting tampered request, application generates infinite number of self request to the application.

Imact: There is no direct business impact of this vulnerability, however self DoS attack comes under security best practices. Also it may consume few amount of network bandwidth at client side.

Original Request: 

POST /cgi-bin/authenticate.php?appname=login HTTP/1.1
Host: pamedia.lastmiledemo.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://pamedia.lastmiledemo.com/cgi-bin/default.php?appname=login
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

username=asdas&password=asdas&Login=Login


Tampered Request: 

POST /cgi-bin/authenticate.php?appname=login HTTP/1.1
Host: pamedia.lastmiledemo.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://pamedia.lastmiledemo.com/cgi-bin/default.php?appname=login
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

[username]=[asdas]&[password]=[asdas]&[Login]=[Login]

In order to know the business impact, kindly refer this video carefully.


 


Thanks! Few more logical bugs are coming in near future. Stay Tuned!

No comments: