🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • 1. Email Bounce Issues
  • 2. Long Password DoS Attack
  • 3. Long String DOS
  • Use Password From Password.txt
  • 4. Permanent DOS to victim
  • Reference :
  • Author:
  1. Application Level DoS

Application Level DoS Methods

1. Email Bounce Issues

  • Check if Application has Invite Functionality

  • Try sending Invites to Invalid Email Accounts

  • Try to find Email Service Provider such as AWS SES , Hubspot , Campaign Monitor Note: You can find Email Service Provider by checking Email Headers

  • Once you have the Email Service Provider, Check there Hard Bounce Limits. Here are the limits for some of them:

    1. Hubspot Hard bounces: HubSpot's hard bounce limit is 5%. For reference, many ISPs prefer bounce rates to be under 2%.

    2. AWS SES: The rate of SES ranges from first 2-5% then 5-10%

Impact: Once the Hard Bounce Limits are reached, Email Service Provider will block the Company which means, No Emails would be sent to the Users !

2. Long Password DoS Attack

  • As the value of password is hashed and then stored in Databases. If there is no limit on the length of the Password, it can lead to consumption of resources for Hashing the Long Password.

How to test?

  • Use a Password of length around 150-200 words to check the presense of Length Restriction

  • If there is no Restriction, Choose a longer password and keep a eye on Response Time

  • Check if the Application Crashes for few seconds

Where to test?

  • Registration Password Field is usually restricted but the Length of Password on the Forgot Password Page and the Change Password (As Authenticated User) Functionality is usually missing.

3. Long String DOS

  • When you set some string so long so server cannot process it anymore it cause DOS sometime

How to test

Create app and put field like username or address or even profile picture name parameter ( second refrence ) like 1000 character of string . 
Search A's account from B's account either it will
  • Either it will keeping on searching for long time

  • Either the application will crash (500 - Error Code)

Use Password From Password.txt

⚠️it's not recommended using more than 5000 characters as password.

4. Permanent DOS to victim

This is not Application Level DOS but a Permanent DOS to victim. In some website user get blocked after trying to loging in with wrong credidentials.We will untilize this feature as bug :D.

How to check.

  • Go to login page of example.com.

  • Now enter valid account email and wrong password .

  • Try to login with these details for few times(at least 10-20 times).You can use repeater or intruder in burpsuite.

  • If your account get blocked, check the blocking time period.If the blocking time period is more than 30 min .You can report it.

Point to Remember

  • Make sure there is no captcha during login because we cann't make any automated tool to loop the request.

  • Make sure Old session are expired after being blocked.

What is priority of this bug?

  • If the user get permanently block after some wrong attempts this is considered as P2.

  • If the user get temporarly block this is considered as P3/P4.

During report try to add impact by saying that you can permanently block user account by looping this request with some intervals.

Reference :

- Email Bounce Issues

- Long Password DoS Attack

  • https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/

  • https://hackerone.com/reports/738569

  • https://hackerone.com/reports/167351

- Long String DOS

  • https://hackerone.com/reports/764434

- Permanent DOS to victim

  • https://youtu.be/5drIMXCQuNw

Author:

PreviousAccount Takeover MethodologyNext2FA Bypasses

Last updated 3 years ago

Here is the

Password.txt
https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68
https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0
Keshav Malik
Fani Malik