 |
Center for Software Testing Education & Research |
|
Center for Software Testing Education & Research |
Risk-based Testing for DoS Attacks in FireFox
Summary
One of the most common attacks to Internet servers is the DoS, or Denial of Service, attack. A hacker will query a site with massive amounts of information, causing the server to be unable to deal with legitimate web traffic. In Mozilla FireFox, there appears to be no limit to the number of characters that can be entered, meaning that a malicious user could attempt to enter hundreds of megabytes of characters as an Internet address and send the entire amount as a "legitimate" query.
Application Description
Mozilla's FireFox is an Internet browser available for Linux, MacOS, and Windows. At the time of writing this presentation, FireFox was still pre-1.0 (meaning that it was still a preview release for testing purposes).
Test Design
This example demonstrates the use of Risk-based testing. In Risk-based testing, we look for things in one application that commonly fail in many applications. Risk-based testing helps narrow the testing focus to areas that we know have problems. We look at a function with the educated expectation of a certain kind of failure, rather than with a certain correct output.
A DoS (Denial of Service) attack is one of the most common attacks on Internet servers. It typically involves an array of computers being used to send large amounts of data to a single server to "flood" it with requests. Eventually, the server will become so overwhelmed that legitimate users will be denied service.
One way of committing this attack is by transmitting large amounts of data to a server when it is not expecting it. For example, when a server is processing an address, it opens a port, recieves information from the user, searches for that address, and returns the page. From FireFox, a malicious user could potentially send a request for an address that was hundreds or thousands of megabytes long. And since the server needs to retrieve the entire request before processing it, it will continue retrieving the information and deny other users the ability to connect to addresses.
When creating any Internet application, there is a long list of common attacks that the application could be used to do. These attacks are the risks that testers must look for when reviewing the application. Risk-based testing helps by focusing a tester's analysis so that they know, at least in general, what to look for, so that even bugs that are not apparent under normal testing circumstances will come up.
Performing the Test
Results/Relevance
In FireFox, there appeared to be no limit to the amount of characters that we could enter into the address bar. In our own lab, we entered approximately 10 million characters (roughly 9 megabytes) before hitting 'Enter'. Processing the request took quite awhile, but eventually we recieved the message above stating a bad request had been made.
Had this been a coordinated attack, it could have caused quite a bit of trouble for the server, but true DoS attacks are much more intensive and typically do not rely on browsers. However, this still could serve as an outlet for an attack and therefore is a feature that must be limited.
By understanding the common risk in many browsers of DoS attacks, we were able to open FireFox and know immediately where to test. Any area of FireFox that is sending information to a server anonymously to open a port can be an outlet for a DoS attack, and the address bar is the perfect example of this. We were able to quickly find a critical bug, and the quicker we find it, the quicker it can be fixed.
Similar Tests/Additional Notes
Research attacks through Internet browsers online, especially looking for those that affect Microsoft Internet Explorer. Then try finding similar exploits in FireFox. It is likely that problems that effect Internet Explorer will also be trouble spots for FireFox.
Configuration Notes
Testing Mozilla's FireFox v0.9 on:
Home | Privacy Policy | Terms of Use
© Cem Kaner, CSTER, 2004. Web Design by Thomas Bedran
Last updated on
03/14/2005