How We Found & Exploited a Layer 7 DoS Attack on FogBugz

Modern day Denial of Service (DoS) attacks cause much consternation in the web security industry because they are so inexpensive, easy... and devastating! While the cost of conducting such attacks decreases by the day, the damage caused to target systems escalates with each attack. Attacks that capture the attention of the mass media use an army of infected devices to generate a massive amount of network traffic in order to take down target systems. They are typically low complexity network attacks. The objective is to render the system unusable for legitimate users. However, not all application layer Denial of Service (DoS) attacks are the same. Though many often aim to generate a very large amount of network traffic, sometimes it is enough to make only a few requests to achieve the desired effect. In this article, I explain how specific application behavior I encountered in FogBugz (a web-based project management tool) might easily be used to overload a system. Netsparker web application security scanner reported finding this issue in the latest version of Fogbugz, early in July 2017. What to Check to Determine Whether a DoS Vulnerability Existed The first indicator to check is HTTP status codes. This does not...
Read more

Exploiting SSTI and XSS in the CMS Made Simple Web Application

CMS Made Simple is a content management system that was first released in July 2004 as an open source General Public License (GPL) package. It is currently used in both commercial and personal projects. As Security Researchers working on the Netsparker web application vulnerability scanner, we're always excited about testing and scanning new open source web applications for vulnerabilities. Recently, I read researcher Osanda Malith's blog post, CMSMS 2.1.6 Multiple Vulnerabilities, where he explains his findings following a review of the CMS Made Simple source code. I decided to see for myself what I could uncover. The First Step: Noticing the Parameters in the URL After installing CMS on our local system, I was determined to try to find a vulnerability. Of course, from a black box point of view, a freshly installed application with default configuration lacks a lot of functionality. However, I decided to take a closer look. It didn't take long before I noticed the following URL in the address bar of the browser: https://localhost/CMSMS/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=1&cntnt01detailtemplate=Simplex%20News%20Detail&cntnt01returnid=1 Finding so many parameters together in a URL always excites Security Researchers. Why? Well, the...
Read more