Extend 'Lack of Resources & Rate Limiting' section

[IgorSasovets]

Hi, team! Thanks for the really great project. I would like to suggest the following changes to the "Lack of Resources & Rate Limiting" section:

• add information about improper query string params validation that could lead to DDoS attack against the server. I often face with a problem of absence of query string parameters validation, especially such parameters as size, 'page', .etc. Let's consider an example.
  Scenario 1
  We have a MEAN stack application that contains the users list on a UI. List of users can be retrieved from the server using a following query:
  /dashboard/users?page=1&size=100
  There are limitation on maximum number of users per page (on UI side) - 200 users. An attacker changes the size parameter in order to retrieve large number of users, for example 200 000 or more and it causes performance issues.

Mentioned scenario can be also used to provoke Integer Overflow or Buffer Overflow errors.
One more suggestion:

• add an attack scenario example for the NoSQL injection.
  But I think it can be discussed in the separate issue.

[PauloASilva]

Hi @IgorSasovets,
thanks for contributing.

The query string parameter scenario is interesting and makes sense.
Would you like to open a Pull Request? A quick&dirty how to:

1. Fork this repo,
2. switch to the develop branch
3. create a working branch,
4. add your changes to the 2019/en/src/0xa3-improper-data-filtering.md file,
5. commit your changes,
6. push changes to your fork and
7. open the pull request (from your working branch to the develop).

CONTRIBUTING.md has a more complete step-by-step on how to contribute.
I'll be glad to assist you in case of need.

As suggested, we can discuss the NoSQL injection example in a separate issue.
Would you mind to open one (for traceability and attribution purposes)?

Cheers,
Paulo A. Silva

[IgorSasovets]

Hi, @PauloASilva ! Thanks for the quick response. Yes, I'll open a PR for this suggestion. Also, I will create separate issue for the NoSQL example.

Best regards,
Ihor

[IgorSasovets]

@PauloASilva , I created issue for the NoSQL example. Now I'm going to open a PR for query string parameters scenario.

[IgorSasovets]

Opened PR