DOS code4rena website - Githubissues

code-423n4 / code423n4.com

code423n4.com source code

https://code423n4.com/

180 stars 172 forks source link

DOS code4rena website #2200

Closed csanuragjain closed 2 years ago

csanuragjain commented 2 years ago

Due to lack of Captcha, a malicious user can simply keep on creating team using register-team.ts or any other action which results in calling the GitHub API for creating a new Pull request. On repetitive calls, GitHub API rate limit will trigger and all GitHub API will fail causing temporary DOS on C4 website

Recommendation

Consider adding Captcha check which will prevent users from calling API again and again

captainmangoC4 commented 2 years ago

Do you think it's enough that we require users to register (and login) in order to create a team? There might be a flaw in my logic, but I assumed that since the user cannot create a team unless logged in, and cannot create a team without adding themself as a member, we would be able to track down anyone who tried a DOS attack in this situation and ban them from the community.

captainmangoC4 commented 2 years ago

I just looked at the register-team.js code again and realized there are not any checks in the function itself to make sure the warden making the request is authenticated or that they have added themselves to the team. All of that logic is client-side. So this should definitely be changed. Great catch!

csanuragjain commented 2 years ago

The only problem left out will be register-warden which will also create a pull request and cannot be behind login. Attacker can use automation to request on this endpoint causing issue. Using waf might also resolve the issue

captainmangoC4 commented 2 years ago

What if I implement the following checks in register-team:

include the moralis session token in the request
check that one of the members on the team has a username that matches the session token
check that the user who made the request is fully registered (their moralis ID is present in their json file, indicating their registration/re-registration has been fully completed)

csanuragjain commented 2 years ago

yes that should solve team registration issue but the problem will remain for warden registration where the above fix cannot work since new user cannot be having a moralis session token. So this user can abuse the warden registration API

captainmangoC4 commented 2 years ago

Good point. I think we can implement captcha for the registration and confirm account forms, then check the session token in all other cases where a DOS attack could be a risk.

Chomtana commented 2 years ago

I have seen hcaptcha implementation in your code but it is now only applied to apply-for-certified-contributor and request-support.