diff --git a/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md b/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md index 8f62ea7da..158dd4083 100644 --- a/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md +++ b/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md @@ -21,6 +21,12 @@ following limits is missing or set inappropriately (i.e. too low/high) * Request payload size (e.g. uploads) * Number of requests per client/resource +One more issue is Improper Query String Parameters validation. It could lead to +DDoS attacks against the server. Widely spread problem is validation of such +query string parameters as `size`, `page`, .etc. Absence of limitation for max, +min values of these parameters might cause performance issues, Internal Server +Errors. + ## Example Attack Scenarios ### Scenario #1 @@ -40,6 +46,18 @@ combinations using a multi-thread script, against the `/api/system/verification-codes/{smsToken}` endpoint to discover the right token within a few minutes. +### Scenario #3 + +We have a MEAN stack application that contains the users list on a UI. List of +users can be retrieved from the server using a following query: +`/dashboard/users?page=1&size=100`. There are limitation on maximum number of +users per page (on UI side) - 200 users. An attacker changes the size parameter +in order to retrieve large number of users, for example 200 000 or more and it +causes performance issues. For example, load on database increases and it isn't +able to handle other requests; on UI side all functionality take more time to +proceed because server doesn't return required information from the DB. The same +scenario might be used to provoke `Integer Overflow` or `Buffer Overflow` errors. + ## How To Prevent * Docker makes it easy to limit [memory][1], [CPU][2], [number of restarts][3], @@ -48,6 +66,8 @@ within a few minutes. timeframe. * Notify the client when the limit is exceeded by providing the limit number and the time at which the limit will be reset. +* Add proper validation for query string parameters and request body on the server + side. ## References