ABSTRACT

An attacker could cause the program to crash or otherwise become unavailable to legitimate users.

EXPLANATION

Attackers may be able to deny service to legitimate users by flooding the application with requests, but flooding attacks can often be defused at the network layer. More problematic are bugs that allow an attacker to overload the application using a small number of requests. Such bugs allow the attacker to specify the quantity of system resources their requests will consume or the duration for which they will use them.

Example 1: The following code allows a user to specify the amount of time for which the current process will sleep. By specifying a large number, an attacker can tie up the process indefinitely.


unsigned int usrSleepTime = uatoi(usrInput);
sleep(usrSleepTime);

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 730

[4] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Denial of Service

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9