web application – Making website queries and return a large amount of data, can it be exploited for DOS attack?

I am testing a website (bug bounty website) and found an endpoint like replycomment?cmt_id()=1. When open on browser, this endpoint let me reply to comment with id 1 by fetching this comment into a textarea and format it for me.

So i can do like replycomment?cmt_id()=1,2,3,4 to fetch value of multiple comments.

I try to create the longest possible comment and fetch this comment as many times as possible(450 times for now)

  • The website response with 30mb of data
  • The website response in 2.5 seconds, this is the time server take to prepare data, not actually transfer 30mb of data.

Is it feasible for a DOS attack? If yes, what is your reasons to believe so?

Thanks everyone.