Denial of Service Due to Improper Handling of Decimal Values

Dariusz Tytko

13 September, 2024

During one of my recent pentests, I found an interesting Denial of Service (DoS) vulnerability that allows an attacker to cause the server to become unavailable. The severity of this vulnerability has been classified as HIGH because it can be exploited with a single HTTP request.

I was testing different parameters during the normal process of performing a pentest:

Parameter testing

In a server response, I saw the following error:

Server error

In situations like this, it is important for a pentester to closely analyze error messages.

This particular error revealed the root cause of the DoS vulnerability, which lies in the way the server processes decimal values using the java.math.BigDecimal class. This class is designed to handle large numbers, but when improperly managed, it can lead to resource exhaustion and server unresponsiveness.

This vulnerability has been previously reported and tracked under the Java Development Kit issue JDK-6560193, which highlights problems with the java.math.BigDecimal class.

Due to this, the auditor sent the following request:

DoS request

As a result, the server stopped responding. 5e999999999 is written in scientific notation and represents 5 × 10^999999999. Allowing the processing of such large numbers may exhaust the server’s resources.

Summary

Remember, that any decimal input values processed using the java.math.BigDecimal class should be validated. Only business-justified values should be accepted.

Other Insights

Crafting Malicious Software for Penetration Testers: A Guide from Novice to Pro

Dominik Antończak

August 26, 2024

Sunday evening, you are preparing an email message for several company employees. Everything is polished, and the message is clear and convincing. The email includes a link to a server hosting malware that aligns perfectly with the company profile. The phishing campaign is about to begin. Before it does, you check everything again and say to yourself, Perfect.

READ article

How NOT to store data in a desktop application?

Mateusz Lewczak

August 07, 2024

Due to their offline nature, desktop applications often struggle with storing sensitive data in a secure way. Many developers mistakenly believe that compiling an application automatically secures the data within it. This approach is especially common in applications written in languages that are easy to decompile, like for example .NET. However, the truth is that no matter what technology is used, various techniques can still be used to access unprotected confidential information, which can lead to major security breaches. In this article, we'll take a look at some common methods that can be used to access supposedly secure information from desktop applications. We will also discuss the potential impacts of these vulnerabilities.

READ article

Key Insights from Red Team Testing

krystian działowy

August 05, 2024

The goal of Red Team testing is to gain access to a company's internal network using various external, internal, or social engineering attacks. In other words, practically all methods are allowed, and the auditors' objective is to breach the internal network and carry out as many malicious operations as possible. In one of our recent tests of this type, our team, equipped with a wide range of scenarios, successfully infiltrated the client's internal network, gaining access to numerous resources where we obtained credentials to critical assets, such as databases and email accounts.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?