Long String DoS

Jerry Shah (Jerry)
3 min readFeb 26, 2020

--

Summary : By sending a very long string (100000 characters) it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable string hashing implementation. When a long string is sent, the string hashing process will result in CPU and memory exhaustion.

This vulnerability was detected by sending strings with various lengths and comparing the measured response times.

I found this vulnerability on one of the private program on HackerOne. I found it while creating an account, I used the long password string for testing this vulnerability and I got 500 Internal Server Error. So it was confirmed that it is vulnerable.

Now here the minor concern is people always try to find this vulnerability on password function as I did, but you can find this at many places like :

  1. Username
  2. Firstname or Lastname
  3. Email Address (create your own email using temp-mail)
  4. Address
  5. Text-Area
  6. Comment Section

and many more..!!

I would like to give an example that why username ? Say for example I’m using any social media website and I have created 2 accounts for testing purpose. Now in account A ‘s username I have entered a long string of 1000 characters and I’m searching for account A from account B then 2 things can be happen :

  1. Either it will keeping on searching for long time
  2. Either the application will crash (500 - Error Code)

How I found this vulnerability :

  1. Go to https://privateprogram.com/signup
  2. Fill the form and enter a long string in password
Long String

3. Click on enter and you’ll get 500 Internal Server error if it is vulnerable

Server Crash

Now many a times it happens that the signup page is not vulnerable to Long String Dos so you can try it while resetting your password.

Resetting Password using Long String

I found it on resetting password and got successful, so I reported to the company and the gave me bounty of 100$

NOTE : This DoS attack falls under the Application Level DoS and not Network Level DoS so you can report it. In some company’s policy of Out-Of-Scope, you’ll find “Denial of Service” which means Network Level DoS and not Application Level DoS. If the company has stated that “Any kind of DoS” is Out-Of-Scope that means you can’t report either of them.

Thank You :)

Instagram : jerry._.3

--

--

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|