database server's CPU will reach 100% utilization. At this point the

system will likely be inaccessible to normal user activity.

DoS targeting a specific user

An intruder will repeatedly attempt to login to a web site as some

user, purposely doing so withan invalid password. This process will

eventually lock out the user.

DoS targeting the Database server

An intruder will use SQL injection techniques to modify the database

so that the system becomes unusable (e.g., deleting all data, deleting

all usernames etc.)

DoS targeting the Web server

An intruder will use Buffer Overflow techniques to send a specially

crafted request that will crashes the web server process and the

system will normally be inaccessible to normal user activity.

6.3  Insufficient Anti automation

Insufficient Anti automation is when a web site permits an attacker to

automate a process that should only be performed manually. Certain

web site functionalities should be protected against automated

attacks.

Left unchecked, automated robots (programs) or attackers could

repeatedly exercise web site functionality attempting to exploit or

defraud the system. An automated robot could potentially execute

thousands of requests a minute, causing potential loss of

performance or service.

For example, an automated robot should not be able to sign up ten

thousand new accounts in a few minutes. Similarly, automated robots

should not be able to annoy other users with repeated message

board postings. These operations should be limited only to human

usage.

59

Copyright 2004, Web Application Security Consortium. All rights reserved.