P2 Application-Level Denial-of-Service (DoS) (Critical Impact or Easy Difficulty)

Vulnerability Category: A6-Security Misconfiguration

Vulnerability Description: Application level Denial of service is often confused with network level DoS. This vulnerability occurs because faulty implementation of some functions on the application. The entry point for this vulnerability involves interaction with application and these kind of attacks are often tough to identify and sometimes even tougher to prevent.

Impact: Application Layer Denial of service will have the same effect as network level DoS . It can take down the application server or make application unavailable to use for other users.

Recommendation:

· Proper Input validation can help to mitigate this vulnerability

· File Integrity checks on the server side can prevent this vulnerability

Severity : High

CVSS v3.0 Score: 7.5

CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

How to Test:

1) Look out for file uploads in an application and try to upload the file which is larger in size multiple times.

2) Try to perform ZIP bomb attack where you find application is allowing you to upload compressed files and extract the content for you

3) Whenever you see image upload where you can upload PNG files , can compress PNG file of 50MB file to 49KB. Once it is uploaded and converted to image thus where high chances of Application Denial of service can be possible.

4) Billion Laugh attack is one example for Application Level DoS . You can check this whenever you come across any application accepts input in XML format and parses it on the server side.

Note: Please check this whether it is in the scope of the program