[OWASP-TESTING] Application DoS Section

Shields, Larry Larry.Shields at FMR.COM
Fri Sep 2 11:03:51 EDT 2005


Good question.  I'm tending to think 'no', since the SQL injection is
really its own fully distinct attack and problem.  There would seemingly
be a lot of possible ones such as 'arbitrary file upload that can
overwrite a web file on the system' or 'command execution that could
remove the web pages or shut down the web server' that might also come
in scope... But I think at those points, there are bigger problems.  

However, by this same logic, one could put the Buffer Overflow DoS into
that same type of category.  So I'm willing to listen to opinions from
others on this... Do we want to include a catch-all of other possible
ways someone could make the application unavailable if they used other
attacks to compromise something in the application, like those we
discussed here?

-Larry 

-----Original Message-----
From: Eoin Keary [mailto:eoinkeary at hotmail.com] 
Sent: Friday, September 02, 2005 10:59 AM
To: Shields, Larry; owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] Application DoS Section

Point taken. thought solutions were in scope also but this is a testing
guide. (Silly me)

Would removal/corruption/encryption of the authentication table in a DB
say the "users" table be considered an App DoS? (So SQL inject a Delete
command).

Eoin






>From: "Shields, Larry" <Larry.Shields at FMR.COM>
>To: "Eoin Keary" <eoinkeary at hotmail.com>, 
><owasp-testing at lists.sourceforge.net>
>Subject: RE: [OWASP-TESTING] Application DoS Section
>Date: Fri, 2 Sep 2005 09:50:31 -0400
>
>	But we're not trying to provide the solutions in this doc, just
show 
>how to test it and find the problems white/black box.  Limiting memory 
>usage is good, but you can still starve the JVM, which DoSes the 
>application, just not the whole box... Right?
>
>-Larry
>
>-----Original Message-----
>From: Eoin Keary [mailto:eoinkeary at hotmail.com]
>Sent: Friday, September 02, 2005 9:35 AM
>To: Shields, Larry; owasp-testing at lists.sourceforge.net
>Subject: RE: [OWASP-TESTING] Application DoS Section
>
>Hi Larry,
>regarding the Java example and memory usage,
>
>If the Java virtual machine JVM uses switches as follows this will 
>limit the memory usage
>
>-Xmx10m sets the maximum heap sixe in megabytes (10MB in this example) 
>-Xoss300k seys the maximum stack size in 1024 chunks -Xss64k sets the 
>max native stack size for any thread in multiples of 1024.
>
>these can all be seen by typing "Java -X" at cmd line
>
>Just thought you would like to know.
>
> >From: "Shields, Larry" <Larry.Shields at FMR.COM>
> >To: <owasp-testing at lists.sourceforge.net>
> >Subject: [OWASP-TESTING] Application DoS Section
> >Date: Fri, 2 Sep 2005 09:00:28 -0400
> >
> >Here's my draft on this section
> >
> >  <<Application Layer Denial of Service.doc>>
> >
> >-Larry Shields, CISSP
> >
> >
>
>
> ><< ApplicationLayerDenialofService.doc >>
>
>_________________________________________________________________
>Dating has never been easier - get FREE Match.com membership!
>http://match.msn.ie/match/mt.cfm?pg=channel&tcid=237596
>
>
>
>-------------------------------------------------------
>SF.Net email is Sponsored by the Better Software Conference & EXPO 
>September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
>Practices Agile & Plan-Driven Development * Managing Projects & Teams *

>Testing & QA Security * Process Improvement & Measurement * 
>http://www.sqe.com/bsce5sf 
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing

_________________________________________________________________
Browse smarter with tabs - get the all-new MSN Toolbar! 
http://toolbar.msn.ie





More information about the Owasp-testing mailing list