[OWASP-TESTING] Application DoS Section

Javier Fernandez-Sanguino jfernandez at germinus.com
Tue Sep 6 11:34:29 EDT 2005


Mauro Bregolin wrote:

> Larry,
> 
> I agree on what you're saying, and in fact it might not be beneficial to
> modify the whole document.
> However, while causing a DoS might be pointless in the scope of testing,
> citing DoS as a possible outcome of an attack might have some value, if not
> for the reason that you might cause a DoS yourself when testing.
> It is true that this is more likely with some vectors (e.g., malfunctioning
> BOFs) than others, where you have to do it purposefully. SQL injection
> probably is of the latter kind; though, if you can play with UPDATE commands
> you can do quite some harm and one could argue that if you don't know the
> internal semantics you might inadvertently cause unintended damage and
> consequently DoS.

Agreed. I was exactly thinking about this too. I remember a case when 
a bad place '-- in a parameter caused an update script to run
"update foo SET columna=''-- where columnb='something'" instead of 
just "update foo SET columna='parameter" where columnb='something'". 
That was a blind SQL injection test, something that an automated 
application might do inadvertently and could have grave DoS 
consequences for the application itself.

So, it's not something that can happen when you go and say "ok, I have 
SQL injection here, I can clear up all tables or drop the database 
itself" but also something that can happen when you are in the 
investigation phase and testing the application.

Maybe the above example would be more a warning to (blind pen-) 
testers than something that should appear explicitly in the DoS 
section. I don't know...

Regards

Javier




More information about the Owasp-testing mailing list