Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
new type of ddos?
Posted by: SpoofGhost
Date: May 07, 2009 07:18PM

hi there ;)..

i was thinking about a new dos/ddos type..
as there are many site that have an login system that when you enter
the wrong password like 3 to xxx times you can't login for xxx minuts/hours/days.

anyway you get my point.. well then if there is a hole/bug on a public place where you can input precisting xss the best place would be the home pages

you can generate wrong login sessions for every visitor. so if some one want to login it says to manny tries. anyway that way you can dissable there service
as every service wich requers login is started with logging in so everything malfunctions.

ofc this sould be examen.

anyway actually my question is what do you guys think of this?

Options: ReplyQuote
Re: new type of ddos?
Posted by: PaPPy
Date: May 08, 2009 08:56AM

why not create a xss worm that changes their password/email or overwrite their login function to send you their details and log them in

if you can xss their front page you can do a lot more than attempt to lock out some accounts, cause all the admin will problably do is put a captcha on the login box, or remove the rule for 3 failed logins

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: new type of ddos?
Posted by: SpoofGhost
Date: May 08, 2009 02:16PM

yes that would be possible ofcourse,
tho it depends on what you want to accomplish but yes your right anyway
there might be a use in this, still every one think its enoying if there is
a captcha on there login also if they remove the rule for login you can
brute force. so that aint really a solution for them.

btw it was just an example of how that could be used to ddos. it would be even
possible if the user is on a diffrent site.

Options: ReplyQuote
Re: new type of ddos?
Posted by: lightos
Date: May 08, 2009 04:51PM

If a XSS is available, there are easier ways to DoS the user from
visiting the site. Set two cookies of approx 4192 bytes each,
this will reach the max content limit allowed to be sent in a request,
successfully blocking the user from accessing the server.
You could also use a specific browser DoS or create an infinite loop, open a million iframes, etc...
And even with out a XSS, check out this excellent post by sdc.
http://sirdarckcat.blogspot.com/2009/04/how-to-use-google-analytics-to-dos.html



Edited 1 time(s). Last edit at 05/08/2009 11:13PM by lightos.

Options: ReplyQuote


Sorry, only registered users may post in this forum.