A Denial-of-Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a system or network, in this case – a web application. One sophisticated form of such an attack exploits vulnerabilities in the processing of floating-point numbers. In our scenario, attackers manipulate the system’s handling of floating-point arithmetic, leading to inaccurate calculations and potential system failures. This method challenges the reliability of numerical computations and poses a serious threat to the stability and availability of targeted systems.
DoS attack via floating-point numbers – real-life example
During one of the penetration tests we conducted, it was discovered that the application accepts parameters in floating-point number form. Floating-point numbers are often encountered in transactions involving monetary values, such as in e-commerce applications. Typically, monetary values do not require more than 2 decimal places. Therefore, during tests, we always check what happens when we send more digits after the decimal point to the application. This allows us to verify whether the application’s underlying code accounts for such situations and responds effectively. If not, it may lead to consequences like continuous server disruption or temporary issues until the server is restarted, affecting all application users.
Let’s consider an example. During the security tests, one of the HTTP requests to the application included a parameter in JSON format representing a floating-point number. It’s important to note that a potential vulnerability could involve any data type, such as an integer or even a string variable, however, for this example, a large floating-point number was injected.
The rest of the JSON data format is not needed, so it was removed for the query clarity.
A large number of digits were added in yellow above, creating a floating-point number in the process. Many digits can be quickly created using the example command: seq -s "" 1300000 | tr -d 'eE+i.', generating approximately 7.89 million digits.
The application took about 40 seconds to process this enormous floating-point number, after which it returned information about the successful request. Below is information from Burp Suite software about the response time for the request:
It’s not always necessary to send a massive number of digits after the decimal point. We can also use e-notation, which conveys to the application a large number of digits after the decimal point without needing to include them all in the query content.
Here’s another example, from Exploit Database: https://www.exploit-db.com/exploits/35304.
Instead of providing the entire structure of a floating-point number, e-notation allows us to specify how many digits should be after the decimal point. This example illustrates an alternative way to introduce a malicious number into the application and disrupt software continuity.
Protection methods:
Initially, it is crucial to enforce control over the length of HTTP requests. A Web Application Firewall (WAF) should reject requests that exceed the predefined maximum length. For example, the open-source WAF – ModSecurity allows setting the maximum request body size accepted by the SecRequestBodyLimit directive.
Validate the length and format of input data, especially when dealing with floating-point numbers.
Ensure that the application validates the type and range of received data, preventing unexpected or malicious values. Implement checks to ensure floating-point numbers are within acceptable ranges.
Introduce rate-limiting mechanisms to restrict the number of requests from a single source within a specified time frame, mitigating the impact of DoS attacks by preventing an overwhelming number of requests.
Conduct regular penetration testing and security assessments to identify and address potential vulnerabilities in the system, including specific tests targeting the handling of floating-point numbers.
