Hello readers , I am Aditya , a second year student at Madhav institute of Technology and Science , Gwalior . This is a story of how I found Bug in my college site . So first of the bug I found is DOS attack that is already fixed by the respective developer team In this bug a hacker can manage to make the site unresponsive or hours .
So lets start with the basic understanding of bug so In DOS attack one can overload the server with simultaneously sending the multiple request to the server which leads to 5xx database connection error .
THE EFFECTS OF BUG
One can able to make site server slow or even take them down even if there is exam is going and Sometimes You also may have seen that there is last date of assignment and the moodle is not working So that thing is (!)not done by me 😂.
So For me this is one of the thing I always wanted that I want to hack my college site so I look for major bug such as SQLi , XSS , some kind of logic bugs but found nothing but then I thought about some kind of attack that can flood the server which lead to DOS . So I searched for any parameter that I can bruteforce and send multiple request at same time So there is a function of attendance where one can see his/her attendance is marked or not there is a parameter ‘ID’ . I bruteforce that parameter with approx 200 requests per second and with delay-time 10 millisecond so with this configuration in few seconds in approx 500 requests the server get flooded with these requests and it shows following error
What is the risk level of this bug ?
So this is a priority II [ PII ] bug which means its quite critical for instance if exams is going on an hacker perform this attack so student might not able to give the exam which may lead to chaos to respective faculty and the site college administrator .
Mitigation used to fix the bug :
The developer team already fixed the bug by implementing strict rules in firewall . Now if someone continuously tries send the multiple requests for some specific time the firewall sense that it was a hacker and temporarily block that user .
Bug found : 28 feb 2022
Bug reported : 2nd march
Bug fixed : 4th march
THANKS FOR READING and COMMENT YOUR SUGGESTIONS 😀