The goal of denial of service is to prevent a user or the system from accessing a resource. Refer to Chapters 8, 12, and 14.
Sample Test Cases | |
---|---|
Test Case | Description |
AUX, COM1, COM2, COM3, COM4, LPT1, LPT2, LPT3, LPT4, PRN, CLOCK , NUL | Sample DOS device names . |
COM1:othertext, filename.COM1, COM1.ext, C: folder com1 file.txt | Additional ways to represent DOS device names. |
C: folder .. .. .. .. .. .. .. .. .. .. .. .. .. .. file.txt | Look for characters that are being filtered, and then provide input that contains many characters that are filtered out. |
Send lots of data to the application | The system might react differently depending on the amount of data used. Send lots of data to a feature, starting with a reasonable amount and gradually increasing the amount of data over time to see what happens. |
Repeat same actions over and over | While repeating the same action over and over in an application, monitor for excessive CPU utilization, memory consumption, and any other resource leaks. |
Change expected data types | If the application is expecting a numerical value, use alphabetic characters instead. Ideally, the application should handle cases when invalid data is passed into the application, especially if the attacker controls the data. |
Fail to close any connections | Attempt to consume all of the connections that the server can handle to prevent new ones from being handled. |
Exercise all error code paths | Check to see whether error codes release the appropriate resources. |
Look for functions that incur heavy resourcepenalties | Functions, such as those used for encryption and decryption, can be very expensive. Look for these type of functions and see if a malicious user can remotely cause these functions to get called. |