00:04
Hello and welcome to the cyber. Resync your coding course. My name is Sonny Wear, and this is sans Top 25 Risky Resource Management Lab.
00:15
We will be using Web goats denial of service multiple Loggins exercise.
00:21
This is the lab for denial of service, and we'll be using Web goats Denial of service from multiple Loggins
00:30
This exercise is really about exhausting. Resource is,
00:35
it's not so much about the Loggins as it is showing that you have a limited amount of
00:43
resource is on your server or in your application that can get exhausted. And once they do,
00:52
they Kenbrell your website to complete
00:55
denial of availability or denial of service. And so that's what this
01:00
exercises trying to simulate.
01:03
So the instructions tell us that denial of service attacks are a major issue and Web applications. If the end user cannot conduct business or perform the service offered by the Web application, both time and money is wasted.
01:19
Here is our goal. The site you allows a user too long to log in multiple times.
01:26
This site has database connection pool that only allows to connections. Now that's not very realistic,
01:34
but once again for demonstrative purposes, they needed to have a limit
01:40
to the pool that was relatively small. To show that a denial of service would occur,
01:47
you must obtain a list of valid users and create a total of three Loggins.
01:52
Now, the there's differ ways that we could try to go about in numerator ng user names.
01:59
The easiest, of course, is gonna be a sequel injection. So we'll try that first. But just bear in mind we could use if, if there's a particular string that we could grip on, we could actually use the intruder inside of birth. Sweet to do. This is well,
02:15
but let's start with the easy stuff.
02:17
So let's say we have a test
02:23
and we use our tick. Then we're gonna use our or and are one equals one attack.
02:31
And this is always tricky because you're never sure what type of database you you might be going against. So the syntax is always just a little bit different,
02:43
and so we will try this one
02:47
okay, and it is susceptible to
02:51
sequel injection, so we're able to get that list of users.
02:54
So now all we need to do is open to more tabs
03:00
and log in as thes different
03:55
okay. And so even though,
03:59
you know, this is just a simulation,
04:01
the purpose was to show you that resource is our limited. And if they're brought to exhaustion, can bring a web application.
04:13
22 It's Steve's and basically make it unavailable to end users.
