I am testing a website (bug bounty website) and found an endpoint like
replycomment?cmt_id()=1. When open on browser, this endpoint let me reply to comment with id 1 by fetching this comment into a textarea and format it for me.
So i can do like
replycomment?cmt_id()=1,2,3,4 to fetch value of multiple comments.
I try to create the longest possible comment and fetch this comment as many times as possible(450 times for now)
- The website response with 30mb of data
- The website response in 2.5 seconds, this is the time server take to prepare data, not actually transfer 30mb of data.
Is it feasible for a DOS attack? If yes, what is your reasons to believe so?