Making website queries and return a large amount of data, can it be exploited for DOS attack?



  • I am testing a website (bug bounty website) and found an endpoint like replycomment?cmt_id[]=1. When open on browser, this endpoint let me reply to comment with id 1 by fetching this comment into a textarea and format it for me.

    So i can do like replycomment?cmt_id[]=1,2,3,4 to fetch value of multiple comments.

    I try to create the longest possible comment and fetch this comment as many times as possible(450 times for now)

    • The website response with 30mb of data
    • The website response in 2.5 seconds, this is the time server take to prepare data, not actually transfer 30mb of data.

    Is it feasible for a DOS attack? If yes, what is your reasons to believe so?

    Thanks everyone.



  • The fact alone that a site returns large amount of data does not mean a DOS. Many sites do this, like all the download and video portals. Don't confuse this with amplification attacks just because a small question leads to a large response. Amplification attacks are about directing this large response to some victim, which is not possible here, i.e. the original client has to read all the data.

    This does not mean that there can be no DOS attack here. Maybe it is possible to use the arguments to cause complex queries against the database which causes a slow down of other clients. Maybe the application retrieves all results in memory first and one might cause memory exhaustion this way. Maybe maybe maybe ... The given information are not sufficient to decide if these things actually happen or not.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2