Is it Application-Level Denial-of-Service?


#1

Hello everyone,

I am testing new user registration functionality of web application. It sends data to database using POST request which looks like:

POST /f/register/new-user/
Host: www.*.com
Accept: application/json, text/plain, /
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 826749
Connection: close

{“register_form”:{“fname”:“name”,“lname”:“lname”,“emailA”:“test@test.com”}}

I discovered that I can make emailA string as long as I want, there is no length limit. When I send really long string to the server, it responds with database error message and emailA string which I sent, for example I managed to get response from the server with Content-Length: 1000000 and I can make this number even bigger.

What do you guys think?


#2

i have read a same report on hackerone and hacker was paid something like 150$ so i think its a dos or something similar to it like slowing down the server.