usman-asrg
commented
2 years ago Google captcha is added on the login and Registration Forms
Closed usman-asrg closed 2 years ago
usman-asrg
commented
2 years ago Google captcha is added on the login and Registration Forms
itle: Temporary denial of service of Anti-virus or privacy functionality
What is the vulnerability? This algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with a status code429: Too Many Requests.
Impact: The contact form don't have limit to send report. The action is also getting performed in non stripped network so hacker can sniff the network and read the communication in plaintext.
Impact: This bug sends unlimited forms to server which will irritate server handler . Steps:
Capture request of emplty form and fill the form > 2.send the request to intruder 3.Clear all in position > select q=0.5 > just 0.5 4.Go to payloads > numbers> from 1 , to 100 and step = 1 5.start attack Impact:Suppose if attacker send multiple request forms the it will get sends to servers with no limitations then it will crash or as per form takes some memory to get store in server so it will consume the memory from server.
Suppose one form requires 5 MB and attacker send 200000 requests for form then it will occupy 10000000MB (10000 GB). 5*200000= 10000000.
It will take consume huge data of server so make limitations on forms.
Every action in web app takes memory . If report form takes 5 MB memory to store in server and hacker attack 20,0000 request so mathematically it will consume 10 thousand GB and it will get exhausted.
second vulnerability : what if any malicious users make thousand of request with thousand of different email, now you can think about whats in the condition of your server
Remediation: make use of google captcha or some request blocker which allow request in some particular moments