[OWASP-TESTING] Application DoS Section
jfernandez at germinus.com
Tue Sep 6 11:34:29 EDT 2005
Mauro Bregolin wrote:
> I agree on what you're saying, and in fact it might not be beneficial to
> modify the whole document.
> However, while causing a DoS might be pointless in the scope of testing,
> citing DoS as a possible outcome of an attack might have some value, if not
> for the reason that you might cause a DoS yourself when testing.
> It is true that this is more likely with some vectors (e.g., malfunctioning
> BOFs) than others, where you have to do it purposefully. SQL injection
> probably is of the latter kind; though, if you can play with UPDATE commands
> you can do quite some harm and one could argue that if you don't know the
> internal semantics you might inadvertently cause unintended damage and
> consequently DoS.
Agreed. I was exactly thinking about this too. I remember a case when
a bad place '-- in a parameter caused an update script to run
"update foo SET columna=''-- where columnb='something'" instead of
just "update foo SET columna='parameter" where columnb='something'".
That was a blind SQL injection test, something that an automated
application might do inadvertently and could have grave DoS
consequences for the application itself.
So, it's not something that can happen when you go and say "ok, I have
SQL injection here, I can clear up all tables or drop the database
itself" but also something that can happen when you are in the
investigation phase and testing the application.
Maybe the above example would be more a warning to (blind pen-)
testers than something that should appear explicitly in the DoS
section. I don't know...
More information about the Owasp-testing