Hello and welcome to the cyber. Resync your coding course. My name is Sonny Wear, and this is sans Top 25 Risky Resource Management Lab.
We will be using Web goats denial of service multiple Loggins exercise.
This is the lab for denial of service, and we'll be using Web goats Denial of service from multiple Loggins
This exercise is really about exhausting. Resource is,
it's not so much about the Loggins as it is showing that you have a limited amount of
resource is on your server or in your application that can get exhausted. And once they do,
they Kenbrell your website to complete
denial of availability or denial of service. And so that's what this
exercises trying to simulate.
So the instructions tell us that denial of service attacks are a major issue and Web applications. If the end user cannot conduct business or perform the service offered by the Web application, both time and money is wasted.
Here is our goal. The site you allows a user too long to log in multiple times.
This site has database connection pool that only allows to connections. Now that's not very realistic,
but once again for demonstrative purposes, they needed to have a limit
to the pool that was relatively small. To show that a denial of service would occur,
you must obtain a list of valid users and create a total of three Loggins.
Now, the there's differ ways that we could try to go about in numerator ng user names.
The easiest, of course, is gonna be a sequel injection. So we'll try that first. But just bear in mind we could use if, if there's a particular string that we could grip on, we could actually use the intruder inside of birth. Sweet to do. This is well,
but let's start with the easy stuff.
So let's say we have a test
and we use our tick. Then we're gonna use our or and are one equals one attack.
And this is always tricky because you're never sure what type of database you you might be going against. So the syntax is always just a little bit different,
and so we will try this one
okay, and it is susceptible to
sequel injection, so we're able to get that list of users.
So now all we need to do is open to more tabs
and log in as thes different
okay. And so even though,
you know, this is just a simulation,
the purpose was to show you that resource is our limited. And if they're brought to exhaustion, can bring a web application.
22 It's Steve's and basically make it unavailable to end users.