Level 46
Yeah, it's a pretty primitive DOS attack. But it's not a security issue.
Mar 5, 2018
5
Level 3
Request->all() DOS attack ?
me and my friend thought if we are a hacker ,we can do something like $postLink = "http://www.xyz.com?"; ($i < 0 ; $i < 10000000000000 ; $i++){ $postLink += "abc" + i; }
curl('post' , $postlink);
by doing that I can slow down the server is that correct? because it needs to read every single input that I pass in, can't see a reason why we should use request->all() in any case
Level 17
You're URI will exceed the limit, both that of the amount of GET parameters as well as the header size.
Also, just to clarify, this is not a DOS attack. Its just a very heavy request that the server will need to take care of, but it won't slow it down much.
If you would loop though the parameters the other way, it would be a DOS, so
Url?id=1 Url?id=2 ... Url?id=999999
You just have to set curl to not wait for the answer, otherwise you'll be slowing yourself down as much as the other.
1 like
Level 3
Why do I get the feeling there is a lovely school website about to get a bashing.
2 likes
Level 67
Same thing would happen whether or not you used $request->all(). It still has to bootstrap laravel and process everything, for each request. This is a very basic DoS attack. If you had 5,000 machines all running it then it would be more of a DDoS attack because at that point it could overwhelm the server, but a single machine? Probably wouldn't notice much if anything. And you'd never notice it even with 10,000 boxes doing it if your site was using cloudfare or similar. They'd detect it and just blackhole the requests so they don't even touch the server.
Level 65
FYI: this is called a Layer 7 attack. Most apps can be affected by this and it's hard to stop unless you have some filtering etc.
Please or to participate in this conversation.