king155 / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

DoS attack possible #13

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
It is highly demanded, to implement an dos(denial of service) blocker.

The easiest way should be, to ask about a simple key file
 like "http://example.com/skipfish_[sha_digest_hex].html"

Original issue reported on code.google.com by res...@googlemail.com on 21 Mar 2010 at 5:05

GoogleCodeExporter commented 8 years ago
Firstly, the project is open source; nothing would prevent a malicious party 
from 
simply removing this check.

Secondly, using a scanner with the intent to launch a denial-of-service attack 
is an 
odd move. There are far more efficient and simpler tools you can use if your 
only goal 
is to overload the server (even Apache benchmarking tool is probably more 
dangerous).

Original comment by lcam...@gmail.com on 21 Mar 2010 at 5:35

GoogleCodeExporter commented 8 years ago
What about some decent defaults to -m -g -d -c -r parameter?

Original comment by res...@googlemail.com on 21 Mar 2010 at 6:11

GoogleCodeExporter commented 8 years ago
What's not decent about the defaults, specifically? -m is capped at 10, which 
seems 
rather sensible (with keep-alive hosts in particular). You also can't run the 
scanner 
until you actually look at the documentation and jump through some hops 
(picking a 
dictionary, specifying -o).

DoS defenses should really be implemented on server side; and if this tool is 
causing 
you trouble, you probably have a significant problem anyway.

Original comment by lcam...@gmail.com on 21 Mar 2010 at 8:45