[OWASP-TESTING] Application DoS Section

Javier Fernandez-Sanguino jfernandez at germinus.com
Mon Sep 5 05:30:17 EDT 2005


Shields, Larry wrote:

> However, by this same logic, one could put the Buffer Overflow DoS into
> that same type of category.  So I'm willing to listen to opinions from
> others on this... Do we want to include a catch-all of other possible
> ways someone could make the application unavailable if they used other
> attacks to compromise something in the application, like those we
> discussed here?

Yes, I think that's best. Notice that a buffer overflow might not 
inmediately lead to code execution but can lead to a DoS (consider an 
application running on an obscure processor or a known vulnerability 
with no exploit code: you can find a buffer overflow in an obscure 
application (by simpkly feeding long parameter values) but he might 
not be able to debug the application in place in order to determine 
how to setup the buffer overflow to execute code.

Regards

Javier




More information about the Owasp-testing mailing list