Testing for DoS Failure to Release Resources (OWASP-DS-007)

[Up]

If an error occurs in the application that prevents the release of an in-use resource, it can become unavailable for use. The first example would be locking a file for writing, and then an exception occurring which does not explicitly close and unlock the file.

A second example occurs in languages where the developer is responsible for memory management such as C & C++, if memory is leaked because of a failure. In the case where an error causes normal logic flow to be circumvented, the allocated memory may not be removed and may be left in such a state that the garbage collector does not know it should be reclaimed.

A third example would be the use of DB connection objects where the objects are not being freed if an exception is thrown. A number of such repeated requests can cause the application to consume all the db connections, as the code will still hold the open DB object, never releasing the resource.

Code Example
The following is an example of vulnerable code in Java. In the example, both the Connection and the CallableStatement should be closed in a finally block.

public class AccountDAO { … …   public void createAccount(AccountInfo acct) throws AcctCreationException { … …	try { Connection conn = DAOFactory.getConnection; CallableStatement calStmt = conn.prepareCall(…); … …	         calStmt.executeUpdate; calStmt.close; conn.close; } catch (java.sql.SQLException e) { throw AcctCreationException (...); }   } }

Testing Black Box
Generally, it will be very difficult to observe these types of resource leaks in a pure black box test. If you can find a request you suspect is performing a database operation, which will cause the server to throw an error that looks like it might be an unhandled exception, you can automate the process of sending a few hundred of these requests very quickly. Observe any slowdown or new error messages from the application while using it during normal, legitimate use.

Testing White Box
If access to the servers is available during testing, it may be possible to observe the memory or disk usage on the server while trying to inject data into the application, with the intent of causing an exception or error that may not be handled cleanly by the application. Attempts to cause these types of errors should include special characters that may not have been expected as valid data (e.g., !, |, and ‘).

If reviewing the code directly, look for places within the application that relate to the three types of leaks mentioned in the summary:
 * 1) Are files locked for write any place within the application?  This can cause problems in a multi-user web application even without a failure condition, so should be flagged for closer observation.  If an error occurs, will the lock be removed?
 * 2) If dealing with C/C++ or any other language where the developer is directly responsible for memory management, is all allocated memory freed, even during an error condition?
 * 3) Anywhere that connection pools are being used, such as for database connectivity, will objects be returned to the pool even during a failure condition?  Does the pool have a cap on how many objects it will eventually create for use if an object is not available?