The thing with 0-day Java Vulnerabilities is…

A few days ago, KrebsOnSecurity published a very well written article discussing a new 0-day Java vulnerability, and its effect on the Bit9 Hack. now lets be honest – Java Vulnerabilities are the hottest thing in security news right now.. if a week goes by without a new 0-day, someone is slipping or sleeping.

I would like to look at this from a different angle for a second, the threat landscape angle and the trending.

It is very interesting to see the changes in Hackers approach from reversing protocols and platforms for vulnerabilities that are usually platform dependent, and relying more and more on overarching architectures such as Java and Flash etc, which are platform agnostic.

This creates an interesting threat landscape that has the multiplatform effect. It is very common to mistake reports that say that Microsoft platforms or others are now less vulnerable than in the past. I believe that its just a matter of Hackers changing focus.

Taking a deep look into industrialized hacking, it fits the model well, by hunting for the latest and greatest vulnerabilities and perhaps buying them from a vulnerability broker that deals with 0-days, Hacker groups are able to leverage indirect campaigns and hit large numbers of infections or data theft. just look at the latest Attack that hit Facebook, Twitter, Apple, Microsoft and others. it was defiantly not a directed attack but an attempt to hit numbers. interesting enough it used a Java 0-day as vector of infection. this hit many organizations with different platforms and methods of securing themselves.

Java is the thing that everyone now blame, but yesterday it was the Microsoft platforms, and tomorrow it will be something else. its not about what’s more secure, its about what Hackers focus on.. at the end of the day, we should always look at the shortest funnels to cash, just like Hackers do. until then… keep your cup of coffee clean.

Finding the best Web DoS Attack Url


To establish common ground, I would like to start by explaining some theory behind DoS attacks on the HTTP attack vector.

An HTTP DoS attack is usually not based on a vulnerability or known flaw in a web server or a service, instead – its the attempt to bring a server down by using all of its available resources and its service pool. That being said, the common HTTP DoS tools usually operate by generating massive amounts of requests to a specific set of URLs on a website in order to choke the resource pool and denying the service.

One very important element in the process, is locating the “Perfect URL”, which is the URL that causes the most load on the server when requested, requiring the server to process as much data as possible before presenting the output to the client. and because of that, the best vector is always to go for the website’s search engine, since that will always require some computation power.


What i came to realize is that a simple engine can be written, to run a dictionary against a search engine, and by observing the amount of results presented back from the website for each keyword, one can determine using an automated tool – which is the best search term to create the most load on the server, and build the DoS URL based on that.

Ready, Get Set,  Go!

Lets break the idea into what we want to achieve. we want to run multiple requests to a web server on the search URL. Then, we want to run dictionary as the search term, and by parsing the response page for the place where the number of results is returned – to find the phrase that returns most results (max) and crown it as the “Perfect URL” for a DoS attack.

Using Python, I wrote such a tool that gets as input : search url, regex for finding the number of results and a dictionary file, and does what i wrote above, multithreaded of course ).

Usage looks something like :

python 'results\s\:\s(\d+)' wordlist.txt

The tool then opens several threads, each asking for a word out of the dictionary, and adds it to the search string. It then looks for the Regular Expression in the result page and grabs the number of results. Finally, it shows as output, the best URL that produced the highest number of results so far.

Looks something like this :

python 'results\s\:\s(\d+)' dictionary.txt
-- Loading Dictionary --
-- Loading Complete --
WORD:tree COUNT:13454 URL:
WORD:woman COUNT:110565 URL:
WORD:man COUNT:203721 URL:

As you can see. the result indicated that the word “man” has produced the most search results ( 203721 ) , and therefore the best URL to run an HTTP DoS attack against this site will be 

In a DoS attack scheme, this kind of tool will/should be used as part of the Reconnaissance phase, detecting a good attack URL ( or URLs ) and then running a DoS tool against it.


I am sharing this as an educational tool, designed to only be used in lab environment and not in the wild, its is meant for research purposes only and any malicious usage of this tool is prohibited.

File : ( zip file )