.

DOS bug I found

<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Wed Aug 22, 2012 6:58 am

Re: DOS bug I found

How is Amazon doing it ?
Try harder....hmpf!!
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 22, 2012 7:00 am

Re: DOS bug I found

The item was reported to the client as DOS bug. I am not sure what the recommendation was to the client, as I did not finish the report or was in the call to the client.

I think the client was made aware of it was enought for them. I mean from the feedback the client gave the bug had been in the application for well over 10 years.

I am not sure how Amazon are doing it but I would think most companies are using the same sort of method.
Last edited by Jamie.R on Wed Aug 22, 2012 7:31 am, edited 1 time in total.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Aug 22, 2012 7:23 am

Re: DOS bug I found

sternone wrote:How is Amazon doing it ?


I'm not sure. As far as I'm aware Amazon don't offer reserve and collect as they don't have retail premises.

My experience of the reserve and collect process is based off of how major UK retailers such as Argos and PC World are doing it. The item is removed from stock until the end of the next business day without requiring payment.

Jamie.R wrote:The item was reported to the client as DOS bug. I am not sure what the recommendation was to the client, as I did not finish the report or was in the call to the client.

I think the client was made aware of it was enought for them. I mean from the feedback the client gave the bug had been in the application for well over 10 years.

I am not sure how Amazon are doing it but I would say most companies that are using the same methods.


Jamie, thanks for the information.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Wed Aug 22, 2012 7:43 am

Re: DOS bug I found

Just my 2cents.

If an outside company would report a functional bug as a DoS to me I would have serious questions who I'm dealing with.

I have so much stuff more to learn in my life, but apparently I'm not the only one ;-)
Try harder....hmpf!!
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 22, 2012 7:55 am

Re: DOS bug I found

I think its hit and miss tbh I would say agree with all comments here I would say its 50/50 as a DOS and functional bug.

So we put it as a DOS and explain to the client why it happend and what we could do.

An intresting question would be if you have a phone that has a lock feature on it and your friend decides to play a game. He enters your pin wrong 3 times this then lock the phone for 1 min. He then does it again 3 more times and lock the phone for 10 min. He then keeps on doing this until the phone is locked for 60min.

Would you say that was a DOS ? as mentioned above you not really using resources up like ram, HDD or the processor. you are just locking him out of his phone and stoping him from using the phone for 1 hour.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Aug 22, 2012 8:29 am

Re: DOS bug I found

Jamie.R wrote:An intresting question would be if you have a phone that has a lock feature on it and your friend decides to play a game. He enters your pin wrong 3 times this then lock the phone for 1 min. He then does it again 3 more times and lock the phone for 10 min. He then keeps on doing this until the phone is locked for 60min.

Would you say that was a DOS ? as mentioned above you not really using resources up like ram, HDD or the processor. you are just locking him out of his phone and stoping him from using the phone for 1 hour.


Personally, I would consider this a clearcut DoS through abuse of the account lockout functionality.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 22, 2012 8:40 am

Re: DOS bug I found

So what the difference between locking someone phone and denying someone access to make a purchase? As I think there is no difference or a really small amount of difference that does not matter.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Aug 22, 2012 10:17 am

Re: DOS bug I found

I believe the distinction between the two is that the DoS condition you refer to in the reserve and collect function is a consequence of the applications flawed functionality/logic. It is this flaw that is the underlying issue and is therefore the issue that should be reported. If the functionality was implemented correctly it couldn't be abused to cause the situation you describe.

The account lockout functionality isn't flawed as it is functioning as intended, i.e. reacting to incorrect logins. It is the abuse of it's intended function resulting in a DoS, that would be the issue.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 22, 2012 10:54 am

Re: DOS bug I found

Good points but would the developer not argue that the reserve and collect was implemented and is a function of the site.And in both cases the phone case and the collet and reserve case the features are being abused?

I am just trying to look at this from different points of view as I have said I think its very 50/50 on being a DOS/Logic-function flaw.

I think everyone will have a different view on what they would class it as.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Wed Aug 22, 2012 11:00 am

Re: DOS bug I found

The phone locking out the user is not a DoS. It's how the system was programmed.

A denial of service is just a condition when for example because of an attack the servers become unresponsive or the network is unreachable.

You guys are confusing bugs and software functionality to lock out a user as a Denial of Service.

Otherwise every condition with a bug or with a programmed function becomes a DoS, why would you call them bugs ? Just call them all DOS then or even more, call every 'programmed safety function' that takes out a user for a certain time (as intended too!!) as a DoS !!

It's almost funny...  :D
Try harder....hmpf!!
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 22, 2012 11:24 am

Re: DOS bug I found

sternone I don’t think we confusing them I just trying point out that it sometimes hard to decide between the two. Even if you look this post some people said it’s a type of DOS some said no way so there is a lot of confusing around it.

Wikipedia says "In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users"

So by purchasing the entire shop when you have no intention to pay for them are you not in a way making resources unavailable to its intended users?

If you stop your friends from having access to his phone by entering the pin so many times wrong are you not denying him access to his machine?
I just trying say that it sometimes hard to identify if an issue is a DOS, Logical or any other type of flaw.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Wed Aug 22, 2012 11:33 am

Re: DOS bug I found

Jamie.R wrote:sternone I don’t think we confusing them I just trying point out that it sometimes hard to decide between the two. Even if you look this post some people said it’s a type of DOS some said no way so there is a lot of confusing around it.

Wikipedia says "In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users"

So by purchasing the entire shop when you have no intention to pay for them are you not in a way making resources unavailable to its intended users?

If you stop your friends from having access to his phone by entering the pin so many times wrong are you not denying him access to his machine?
I just trying say that it sometimes hard to identify if an issue is a DOS, Logical or any other type of flaw.



No you are not.

Wikipedia is very correct, they are talking about having the servers or networks being not responding.

If you use a bug to lock up a certain function of the program in this case ordering a product for a certain period that is not making the servers or the network unresponsive.

I'm done with this discussion, you can have it all, sure, all bugs are 'denial of service' and hey, even if we programmed it so you get locked out for a certain period well then its a 'denial of service' also.

Yeah right. there is hope in this industry for me after all, if I need to compete with you guys... Sigh... :P
Try harder....hmpf!!
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 22, 2012 11:50 am

Re: DOS bug I found

I was only trying get people opinion was not stating facts or saying you’re wrong and I am right I just trying to look at it from different people’s points of view.

:)
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Aug 22, 2012 12:09 pm

Re: DOS bug I found

sternone wrote:
Jamie.R wrote:sternone I don’t think we confusing them I just trying point out that it sometimes hard to decide between the two. Even if you look this post some people said it’s a type of DOS some said no way so there is a lot of confusing around it.

Wikipedia says "In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users"

So by purchasing the entire shop when you have no intention to pay for them are you not in a way making resources unavailable to its intended users?

If you stop your friends from having access to his phone by entering the pin so many times wrong are you not denying him access to his machine?
I just trying say that it sometimes hard to identify if an issue is a DOS, Logical or any other type of flaw.



No you are not.

Wikipedia is very correct, they are talking about having the servers or networks being not responding.

If you use a bug to lock up a certain function of the program in this case ordering a product for a certain period that is not making the servers or the network unresponsive.

I'm done with this discussion, you can have it all, sure, all bugs are 'denial of service' and hey, even if we programmed it so you get locked out for a certain period well then its a 'denial of service' also.

Yeah right. there is hope in this industry for me after all, if I need to compete with you guys... Sigh... :P


I wouldn't entirely rely on Wikipedia for a source of information if at all. They are discussing DoS at the network layer, DoS can also occur at the application layer.

With regard to abusing the account lockout process to cause a DoS, heres a couple of links that I suggest you read:

http://projects.webappsec.org/w/page/13 ... %20Service

https://www.owasp.org/index.php/Denial_of_Service

http://technet.microsoft.com/en-us/libr ... 10%29.aspx
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 23, 2012 3:31 am

Re: DOS bug I found

Thanks for the links
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
Previous

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software