Project

General

Profile

Actions

Bug #5094

closed

DoS Vulnerability

Added by Erhan Aydın over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Start date:
07/13/2016
Due date:
% Done:

0%

Estimated time:

Description

Using the hangman example provided on the webtoolkit.eu, I could reproduce a DoS vulnerability we encountered on our own servers running wthttpd.

If you capture and resend certain kinds of POST requests to a witty based application, it sends you back a continuously "piling-up" response. This, after a while slows down the server and eventually the server stops responding.

What I did was to press the "New Game" button on the hangman example. This is the request I captured and replayed many times:

@POST /wt/examples/hangman-game/hangman.wt/play?wtd=CpMe3daRC7GwwImq HTTP/1.1

Host: www.webtoolkit.eu

Connection: keep-alive

Content-Length: 300

Origin: https://www.webtoolkit.eu

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Content-type: application/x-www-form-urlencoded

Accept: /

Referer: https://www.webtoolkit.eu/wt/examples/hangman-game/hangman.wt/play

Accept-Encoding: gzip, deflate, br

Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,es;q=0.4

Cookie: _gat=1; _ga=GA1.2.854670646.1466166359

request:jsupdate

signal:saf37

o7rgr7t:1

focus:o7rgr7w

_:/play

tid:o7rgr7w

type:click

clientX:928

clientY:407

documentX:928

documentY:423

dragdX:928

dragdY:423

wheel:--1

screenX:928

screenY:468

scrollX:0

scrollY:0

width:75

height:17

widgetX:16

widgetY:17

button:1

charCode:0

ackId:632444023

pageId:1

:@

These are the requests received, growing each time:

@--------------- RESPONSE 1 ---------------------

Wt.p.response(632444024);{var j39675=Wt3_3_6.$('o7rgr5h');

Wt3_3_6.setHtml(j39675,'\n

Guess the word, guest!

\n ',false);

var j39676=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39676,'/span>/span>/span>/span>/span>/span>/span>');

Wt3_3_6.hide('o7rgr7t');

Wt3_3_6.hide('o7rgr7w');

Wt3_3_6.show('o7rgr5l');

Wt3_3_6.hide('o7rgr5u');

Wt3_3_6.show('o7rgr5x');

Wt.p.setFormObjects([]);}

--------------- RESPONSE 2 ---------------------

Wt.p.response(632444024);{var j39675=Wt3_3_6.$('o7rgr5h');

Wt3_3_6.setHtml(j39675,'\n

Guess the word, guest!

\n ',false);

var j39676=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39676,'/span>/span>/span>/span>/span>/span>/span>');

Wt3_3_6.hide('o7rgr7t');

Wt3_3_6.hide('o7rgr7w');

Wt3_3_6.show('o7rgr5l');

Wt3_3_6.hide('o7rgr5u');

Wt3_3_6.show('o7rgr5x');

Wt.p.setFormObjects([]);}{Wt3_3_6.remove('o7rgr8a');Wt3_3_6.remove('o7rgr89');Wt3_3_6.remove('o7rgr88');Wt3_3_6.remove('o7rgr87');Wt3_3_6.remove('o7rgr86');Wt3_3_6.remove('o7rgr85');Wt3_3_6.remove('o7rgr84');Wt3_3_6.remove('o7rgr83');Wt3_3_6.remove('o7rgr82');Wt3_3_6.remove('o7rgr81');Wt3_3_6.remove('o7rgr80');Wt3_3_6.remove('o7rgr7z');Wt3_3_6.remove('o7rgr7y');Wt3_3_6.remove('o7rgr7x');var j39677=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39677,'/span>/span>/span>/span>/span>/span>/span>-');

Wt3_3_6.show('o7rgr5l');

}

--------------- RESPONSE 3 ---------------------

Wt.p.response(632444024);{var j39675=Wt3_3_6.$('o7rgr5h');

Wt3_3_6.setHtml(j39675,'\n

Guess the word, guest!

\n ',false);

var j39676=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39676,'/span>/span>/span>/span>/span>/span>/span>');

Wt3_3_6.hide('o7rgr7t');

Wt3_3_6.hide('o7rgr7w');

Wt3_3_6.show('o7rgr5l');

Wt3_3_6.hide('o7rgr5u');

Wt3_3_6.show('o7rgr5x');

Wt.p.setFormObjects([]);}{Wt3_3_6.remove('o7rgr8a');Wt3_3_6.remove('o7rgr89');Wt3_3_6.remove('o7rgr88');Wt3_3_6.remove('o7rgr87');Wt3_3_6.remove('o7rgr86');Wt3_3_6.remove('o7rgr85');Wt3_3_6.remove('o7rgr84');Wt3_3_6.remove('o7rgr83');Wt3_3_6.remove('o7rgr82');Wt3_3_6.remove('o7rgr81');Wt3_3_6.remove('o7rgr80');Wt3_3_6.remove('o7rgr7z');Wt3_3_6.remove('o7rgr7y');Wt3_3_6.remove('o7rgr7x');var j39677=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39677,'/span>/span>/span>/span>/span>/span>/span>-');

Wt3_3_6.show('o7rgr5l');

}{Wt3_3_6.remove('o7rgr8p');Wt3_3_6.remove('o7rgr8o');Wt3_3_6.remove('o7rgr8n');Wt3_3_6.remove('o7rgr8m');Wt3_3_6.remove('o7rgr8l');Wt3_3_6.remove('o7rgr8k');Wt3_3_6.remove('o7rgr8j');Wt3_3_6.remove('o7rgr8i');Wt3_3_6.remove('o7rgr8h');Wt3_3_6.remove('o7rgr8g');Wt3_3_6.remove('o7rgr8f');Wt3_3_6.remove('o7rgr8e');Wt3_3_6.remove('o7rgr8d');Wt3_3_6.remove('o7rgr8c');Wt3_3_6.remove('o7rgr8b');var j39678=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39678,'/span>/span>/span>/span>/span>/span>-');

Wt3_3_6.show('o7rgr5l');

}

--------------- RESPONSE 4 ---------------------

Wt.p.response(632444024);{var j39675=Wt3_3_6.$('o7rgr5h');

Wt3_3_6.setHtml(j39675,'\n

Guess the word, guest!

\n ',false);

var j39676=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39676,'/span>/span>/span>/span>/span>/span>/span>');

Wt3_3_6.hide('o7rgr7t');

Wt3_3_6.hide('o7rgr7w');

Wt3_3_6.show('o7rgr5l');

Wt3_3_6.hide('o7rgr5u');

Wt3_3_6.show('o7rgr5x');

Wt.p.setFormObjects([]);}{Wt3_3_6.remove('o7rgr8a');Wt3_3_6.remove('o7rgr89');Wt3_3_6.remove('o7rgr88');Wt3_3_6.remove('o7rgr87');Wt3_3_6.remove('o7rgr86');Wt3_3_6.remove('o7rgr85');Wt3_3_6.remove('o7rgr84');Wt3_3_6.remove('o7rgr83');Wt3_3_6.remove('o7rgr82');Wt3_3_6.remove('o7rgr81');Wt3_3_6.remove('o7rgr80');Wt3_3_6.remove('o7rgr7z');Wt3_3_6.remove('o7rgr7y');Wt3_3_6.remove('o7rgr7x');var j39677=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39677,'/span>/span>/span>/span>/span>/span>/span>-');

Wt3_3_6.show('o7rgr5l');

}{Wt3_3_6.remove('o7rgr8p');Wt3_3_6.remove('o7rgr8o');Wt3_3_6.remove('o7rgr8n');Wt3_3_6.remove('o7rgr8m');Wt3_3_6.remove('o7rgr8l');Wt3_3_6.remove('o7rgr8k');Wt3_3_6.remove('o7rgr8j');Wt3_3_6.remove('o7rgr8i');Wt3_3_6.remove('o7rgr8h');Wt3_3_6.remove('o7rgr8g');Wt3_3_6.remove('o7rgr8f');Wt3_3_6.remove('o7rgr8e');Wt3_3_6.remove('o7rgr8d');Wt3_3_6.remove('o7rgr8c');Wt3_3_6.remove('o7rgr8b');var j39678=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39678,'/span>/span>/span>/span>/span>/span>-');

Wt3_3_6.show('o7rgr5l');

}{Wt3_3_6.remove('o7rgr92');Wt3_3_6.remove('o7rgr91');Wt3_3_6.remove('o7rgr90');Wt3_3_6.remove('o7rgr8z');Wt3_3_6.remove('o7rgr8y');Wt3_3_6.remove('o7rgr8x');Wt3_3_6.remove('o7rgr8w');Wt3_3_6.remove('o7rgr8v');Wt3_3_6.remove('o7rgr8u');Wt3_3_6.remove('o7rgr8t');Wt3_3_6.remove('o7rgr8s');Wt3_3_6.remove('o7rgr8r');Wt3_3_6.remove('o7rgr8q');var j39679=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39679,'/span>/span>/span>-');

Wt3_3_6.show('o7rgr5l');

}

@

Actions #1

Updated by Koen Deforche over 8 years ago

  • Status changed from New to InProgress
  • Assignee set to Koen Deforche
Actions #2

Updated by Koen Deforche over 8 years ago

  • Status changed from InProgress to Implemented @Emweb
Actions #3

Updated by Koen Deforche over 8 years ago

  • Status changed from Implemented @Emweb to Resolved
  • Target version set to 3.3.6
Actions #4

Updated by Koen Deforche over 8 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF