Web applications not using Anti csrf tokens may lead to denial of service attack. Yes, it is possible! With the help of intruder functionality in burp suite, it is possible to perform the attack with these type of vulnerable forms. Below is the image containing the request of a vulnerable website developed in CorePHP without cloudfare or WAF.
No use of CSRF tokens in the registration form or in the whole website, first two of the fields are vulnerable to stored XSS with the less complex payloads.
In the website, the form is taking 3 different images of the product. So after filling up the form catch the request with any proxy tool (Burpsuite here). Send the request on intruder tab. In the attack, type chooses the cluster bomb option to set the multiple lists of payloads as shown in the below image. you have to compulsory choose those fields which are mandatory. In this example minimum 7 list of payloads are needed which includes Email-ID, Name, Phone-No etc. Go to ‘option’ tab and load the generic list as per field name. Every payload list must contain at least 1000 different ids or names. You can change the other options like threads, 404 retry, handling 500 error etc.
After setting all these options, Go to back to the intruder’s main tab and click on start attack. the request with the 200 response will start executing. the whole attack can be put on repeat with ‘repeat attack’ option from Attack menu. After 15 to 20 repeats simountaniously site will return the general exception which admin have set up on 404 page. If site is vulnerable with this much request it will return the error of 404 in any browser. I’ve lost the image of the sites homepage after the attack but definitely this attack works.
This scenario occurs in rare cases when developer had not use the CSRF protection and the forms also vulnerable to XSS or HPP or any other severe webapp related vulnerabilities.