During one of my recent pentests, I found an interesting Denial of Service (DoS) vulnerability that allows an attacker to cause the server to become unavailable. The severity of this vulnerability has been classified as HIGH because it can be exploited with a single HTTP request.

I was testing different parameters during the normal process of performing a pentest:

In a server response, I saw the following error:

In situations like this, it is important for a pentester to closely analyze error messages.
This particular error revealed the root cause of the DoS vulnerability, which lies in the way the server processes decimal values using the java.math.BigDecimal class. This class is designed to handle large numbers, but when improperly managed, it can lead to resource exhaustion and server unresponsiveness.
This vulnerability has been previously reported and tracked under the Java Development Kit issue JDK-6560193, which highlights problems with the java.math.BigDecimal class.
Due to this, the auditor sent the following request:


As a result, the server stopped responding. 5e999999999 is written in scientific notation and represents 5 × 10^999999999. Allowing the processing of such large numbers may exhaust the server’s resources.
Summary Remember, that any decimal input values processed using the java.math.BigDecimal class should be validated. Only business-justified values should be accepted.


#CyberSecurity #DoS #Pentesting #VulnerabilityResearch #ServerSecurity #Infosec #SecurityTesting #PentestChronicles