DoS:how to takedown websites for fun& profit

You can look for DoS vulnerabilities for any reason such as for bug bounty program,delete privacy infringement site,phishing site or the classic Lulz:)

I don’t encourage illegal hacking so the techniques on this blog are for educational purposes only.All the findings were reported to bug bounty programs and fixed.for obvious reasons the programs won’t be named.

1.Long password 

Sending long password on signup of two sites brought down the sites.

Fix:having password length limit 

Bounties:$500 ,$250

2.cache poisoning 

A site running on drupal 7 with misconfigured WAF(cloud flare) could be ddosed by sending alot(50+ requests) on path ?id=11


After this finding I went to look for such misconfigurations which netted over 20 reports in 2 months

Another instance of cache poisoning was via a header with malformed value such as : x-forwarded-port: xxx12.

3.wordpress CVE-2018-6389

Running the script at  https://github.com/quitten/doser.py  could bring down Wordpress sites running with loaded js and css scripts.


4.API limit 

Some API endpoint with path /limit=100 that returned 100 objects could be taken down by using larger characters than 100.inputting 1000000 was enough to DoS the site.

5.SQLi

You read it right,sqli can be critical and why do you need it for DoS? I found a limited sqli where I couldn’t retrieve data due to permissions issue.I needed impact to report so I had to use the famous sleep command.

6.Rce 

Using command injection to DoS the site 

7.Redos 

Sending malformed regex  to query functions could bring down sites.

8.Large pixel picture 

I uploaded a modified image with large pixel on my profile in some site which could produce a 500 error for anyone who viewed my profile.

9.Bonus:Notes Android app on xiaomi 

Saving more than 15k characters in xiaomi phones notes apps could crash the app making it unusable till clearing of app’s data.

The bug was fixed with limited characters and truncating extra characters.

After performing a DoS confirm the validity by using “ is it down” websites or try loading the sites via different ip address to make sure you’re not blocked by WAF.you can also use online web based proxies 


Comments

Post a Comment

Popular posts from this blog

SOME BUGS

Image
 It's been  a while since i wrote anything related to bug bounty or hacking.In that time i have had some interesting and bad experiences with bug bounty programs.from fast responses to scam external  programs I won't be naming/ shaming the programs but soon i will put up a comprehensive list of scam programs to avoid. Let's talk about some of the bugs; 1. Authentication bypass via path normalization i was hunting on some match matching/dating site.after finding subdomains via crt.sh and fuzzing the subdomains with a wordlist.i found a login page;  min.site.com I started to fuzz to files with ffuf with a custom wordlist.with no result i looked for sqli but found non.tried response manipulation.again failed I was about to give up then i click on a png file.deleted the pic.png and got 403 error.using script https://github.com/iamj0ker/bypass-403 on it i  could list images on the server! https://login.site.com/images// I tried https://login.site.com// also https://...
Read more

Not A Guide to hacking betting sites

  DISCLAIMER!!!   This is for educational purposes only and not a guide to hacking betting sites. In this writeup i will try to provide some bugs i have found on betting sites during my almost 3years bug bounty journey.I have reported more than 100 vulnerabilities on betting websites and android application but i will only talk about some bugs.Sorry,I don't have screenshots to demonstrate the vulnerabilities so i will just list  some bugs and their impacts.I will not name the companies for obvious reasons The writeup lists some  vulnerabilities bug hunters can look for while hunting on betting platforms so grab some coffee and popcorn and enjoy! Some are interesting like  changing odds or withdrawing twice or withdrawing money more than your balance:) IDOR I found most of IDOR on betting sites on profile id parameters.some occurred on bet history where i could change user bet id history and get any user betting history on the site. SQLI Most of then were blind s...
Read more

Taking a Delorean car back to the future:Time related attacks

Image
After thinking about what to write about and having some ideas which are still half done and in draft.I decided to write this! As a car enthusiast with love for classic cars and passion for bringing back old cars to life. I would admit and hope my good friend mark whom we disagrees on most ideas are on the same page here.Delorean was a beauty.If you have not watched Back to the Future movies you are missing out. sit at the back left and let me drive you through time.oops! i forgot delorean is a two-passenger sports car ,but why not go to the future,2024 and get the new powerful delorean alpha5.A better looking super-fast,2+2 coupe , electric car. Enough with the car analogy,we as hackers love technical stuff,nevertheless i believe nowadays i am starting to appreciate the non-technical aspects,folks and roles in tech. In this blog i will discuss some attacks that could impact software from a time change.changing time to the future or back to the past could impact the normal working of ...
Read more