1. Authentication
  1. Brute Force

  2. Insufficient Authentication

  3. Weak Password Recovery Validation

2. Authorization
  1. Credential/Session Prediction

  2. Insufficient Authorization

  3. Insufficient Session Expiration

  4. Session Fixation

3. Client-side Attacks
  1. Content Spoofing

  2. Cross-site Scripting

4. Command Execution
  1. Buffer Overflow
  2. Format String Attack
  3. LDAP Injection
  4. OS Commanding
  5. SQL Injection
  6. SSI Injection
  7. XPath Injection
5. Information Disclosure
  1. Directory Indexing

  2. Information Leakage

  3. Path Traversal

  4. Predictable Resource Location

6. Logical Attacks
  1. Abuse of Functionality

  2. Denial of Service

  3. Insufficient Anti-automation

  4. Insufficient Process Validation

Denial of Service

Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity. DoS attacks, which are easily normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality.

Many times DoS attacks will attempt to consume all of a web site's available system resources such as: CPU, memory, disk space etc. When any one of these critical resources reach full utilization, the web site will normally be inaccessible.

As today's web application environments include a web server, database server and an authentication server, DoS at the application layer may target each of these independent components. Unlike DoS at the network layer, where a large number of connection attempts are required, DoS at the application layer is a much simpler task to perform.

Assume a Health-Care web site that generates a report with medical history. For each report request, the web site queries the database to fetch all records matching a single social security number. Given that hundred of thousands of records are stored in the database (for all users), the user will need to wait three minutes to get their medical history report. During the three minutes of time, the database server's CPU reaches 60% utilization while searching for matching records.

A common application layer DoS attack will send 10 simultaneous requests asking to generate a medical history report. These requests will most likely put the web site under a DoS-condition as the database server's CPU will reach 100% utilization. At this point the system will likely be inaccessible to normal user activity.

DoS targeting a specific user
An intruder will repeatedly attempt to login to a web site as some user, purposely doing so withan invalid password. This process will eventually lock out the user.

DoS targeting the Database server
An intruder will use SQL injection techniques to modify the database so that the system becomes unusable (e.g., deleting all data, deleting all usernames etc.)

DoS targeting the Web server
An intruder will use Buffer Overflow techniques to send a specially crafted request that will crashes the web server process and the system will normally be inaccessible to normal user activity.

To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Denial of Service attack vulnerability test.

Business Name:
Contact Information:
Email Address:
URL or IP address:

Other members of our business group:

COPYRIGHT (C) 2000 - 2013 InfoSecPro.com ALL RIGHTS RESERVED