Difference between revisions of "Testing for DoS Failure to Release Resources (OWASP-DS-007)"

From OWASP
Jump to: navigation, search
(Undo revision 61590 by ElougEtvar (Talk))
 
(5 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
+
{{Template:OWASP Testing Guide v3}}
{{Template:OWASP Testing Guide v2}}
+
  
 
== Brief Summary ==
 
== Brief Summary ==
Line 6: Line 5:
  
 
== Description of the Issue ==  
 
== Description of the Issue ==  
If an error occurs in the application that prevents the release of an in-use resource, it can become unavailable for further use. Possible examples include:
+
If an error occurs in the application that prevents the release of an in-use resource, that resource can become unavailable for further use. Possible examples include:
* An application locks a file for writing, and then an exception occurres but does not explicitly close and unlock the file
+
* An application locks a file for writing, but when an exception occurs, it does not explicitly close and unlock the file
* Memory leaking in languages where the developer is responsible for memory management such as C & C++. In the case where an error causes normal logic flow to be circumvented, the allocated memory may not be removed and may be left in such a state that the garbage collector does not know it should be reclaimed
+
* Memory leaking in languages where the developer is responsible for memory management such as C and C++. In the case where an error causes the normal logic flow to be circumvented, the allocated memory may not be removed and may be left in such a state that the garbage collector does not know it should reclaim it
 
* Use of DB connection objects where the objects are not being freed if an exception is thrown. A number of such repeated requests can cause the application to consume all the DB connections, as the code will still hold the open DB object, never releasing the resource.
 
* Use of DB connection objects where the objects are not being freed if an exception is thrown. A number of such repeated requests can cause the application to consume all the DB connections, as the code will still hold the open DB object, never releasing the resource.
  
Line 35: Line 34:
 
==Black Box Testing and Examples==
 
==Black Box Testing and Examples==
  
Generally, it will be very difficult to observe these types of resource leaks in a pure black box test.  If you can find a request you suspect is performing a database operation, which will cause the server to throw an error that looks like it might be an unhandled exception, you can automate the process of sending a few hundred of these requests very quickly.  Observe any slowdown or new error messages from the application while using it during normal, legitimate use.
+
Generally, it will be very difficult to observe these types of resource leaks in a pure black box test.  If you can find a request that you suspect is performing a database operation, and that will cause the server to throw an error which may not be properly handled, then you can automate the process of sending a few hundred of these requests very quickly.  Observe any slowdown or new error messages from the application while using it during normal, legitimate use.
  
 
==Gray Box Testing and Examples==
 
==Gray Box Testing and Examples==
Line 46: Line 45:
  
 
<br>
 
<br>
{{Category:OWASP Testing Project AoC}}
 
 
[[category:Denial of Service Attack]]
 
[[category:Denial of Service Attack]]

Latest revision as of 13:47, 24 May 2009

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Contents


Brief Summary

With this test, we check that the application properly releases resources (files and/or memory) after they have been used.

Description of the Issue

If an error occurs in the application that prevents the release of an in-use resource, that resource can become unavailable for further use. Possible examples include:

  • An application locks a file for writing, but when an exception occurs, it does not explicitly close and unlock the file
  • Memory leaking in languages where the developer is responsible for memory management such as C and C++. In the case where an error causes the normal logic flow to be circumvented, the allocated memory may not be removed and may be left in such a state that the garbage collector does not know it should reclaim it
  • Use of DB connection objects where the objects are not being freed if an exception is thrown. A number of such repeated requests can cause the application to consume all the DB connections, as the code will still hold the open DB object, never releasing the resource.

The following is an example of vulnerable code in Java. In the example, both the Connection and the CallableStatement should be closed in a finally block.

public class AccountDAO {
    … …
    public void createAccount(AccountInfo acct)  
                 throws AcctCreationException {
       … …
	try {
	   Connection conn = DAOFactory.getConnection();
	   CallableStatement  calStmt = conn.prepareCall(…);
          … …	
          calStmt.executeUpdate();
	   calStmt.close();
          conn.close();
       }  catch (java.sql.SQLException e) {
	   throw AcctCreationException (...);
       }
    }
}

Black Box Testing and Examples

Generally, it will be very difficult to observe these types of resource leaks in a pure black box test. If you can find a request that you suspect is performing a database operation, and that will cause the server to throw an error which may not be properly handled, then you can automate the process of sending a few hundred of these requests very quickly. Observe any slowdown or new error messages from the application while using it during normal, legitimate use.

Gray Box Testing and Examples

It might be possible, in some cases, to monitor the disk space and/or the memory usage of the target. That can happen usually when the test is performed over a local network. Possible ways to obtain this information include the following scenarios:

  1. The server that hosts the application allows the tester to mount its filesystem or some parts of it
  2. The server provides disk space and/or memory usage information via SNMP

In such cases, it may be possible to observe the memory or disk usage on the server while trying to inject data into the application, with the intent of causing an exception or error that may not be handled cleanly by the application. Attempts to cause these types of errors should include special characters that may not have been expected as valid data (e.g., !, |, and ‘).